To better protect your database connection, you can connect to a private endpoint using the Astra DB console.
For details about using API calls instead, see Connect to GCP Private Link with the DevOps API.
This information applies to only serverless databases.
Also, Private endpoints are available for only intra-region use. The *region for your private endpoint in GCP and your Astra DB database must match*.
For pricing related to using private endpoints, see Pricing and billing.
The following roles can manage private endpoints:
Organization Administrator
Database Administrator
Alternatively, you can use a custom role with permissions to manage private endpoints.
For more, see GCP Private Service Connect.
- Access to your existing GCP project.
- Create your Astra DB database using the Astra DB console.
- Ensure you have permission to manage private endpoints.
- From the Google Cloud Console, get your Project ID.
- Create a Google Cloud Console network, subnetwork, and IP address for your private endpoint. For more, see Creating networks. The steps for private endpoints and sample values are listed below.
- Take note of which *region* your GCP project and GCP-based Astra DB use (the chosen region *must match*).
To increase your security, restrict public access to your database using the access list.
Setting up the connection between GCP and Astra DB private endpoints involves a few steps in both consoles.
Let’s start in Astra DB console
- On your organization's Astra DB dashboard, click the link for your active, GCP-based database.
- Navigate to your database's *Settings* tab, and notice the *Private Endpoints* section. At this point, no endpoints have been linked. Example:
- Click *Configure Region and enter your GCP Project ID* as listed in Google Cloud Console.
- After entering your GCP project-ID, click *Configure Region*.
- Astra DB console displays an updated Private Endpoints section, which includes a newly generated Service Name.
- Click *Add Endpoint*.
- On *Add Private Endpoint*, copy the generated *Service Name*. Example:
Switch over to Google Cloud Console
Ensure you're in the GCP project you identified above. Then:
- Navigate to Private Service Connect.
- So far in this example, no GCP endpoint has been created:
- Click **+ CONNECT ENDPOINT**.
- On the *Connect Endpoint* dialog, choose or enter:
- Click *ADD ENDPOINT*.
Once accepted, GCP displays data for the added endpoint. Example:
Click the linked name of your newly added Endpoint to display the details screen in Google Cloud Console, and *copy* the Private Service Connect (PSC) ID. Example:
You'll need to paste in that *PCS ID* value in Astra DB console.
Return to Astra DB console
Back in Astra DB console, return to the *Add Private Endpoint* dialog that's available from your databases's Settings.
- In the Endpoint ID field, paste in the copied *PSC ID* value. Also enter a brief description of your Astra DB / GCP endpoint.
- Click *Add Endpoint*.
Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.
You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the *IP Access List options in Astra DB console Settings*. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.
You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:
- Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.
- Unzip the secure connect bundle.
- In config.json , copy the host key's value.
- In Google Cloud Console, create a private zone to route traffic to your endpoint IP. Update the domains to use REST and CQL. Examples:
Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.
In Google Cloud Console:
- Go to Private Service Connect.
- Choose the endpoint you want to remove.
- Choose Delete.
In Astra DB console:
- Go to the *Settings* tab for your database.
- Choose the endpoint you want to remove.
- Click *Delete*.
What’s next?
- Refer to related topics for other cloud providers that are linked from Connect via a private endpoint.
- Learn how to Manage access lists for public access.
- For more, see Private Service Connect and the link:_attachments/devopsv2.html#operation/Private-Endpoints[DevOps API reference, window="_blank"].