PlanetScale Managed can connect you to your databases via GCP Private Service Connect. The following guide describes how PlanetScale Managed with GCP Private Service Connect works and how to set it up.
Private Service Connect (PSC) lets a service producer offer services to a service consumer without the consumer being a member of the service producer's organization.
The service producer is the Google Cloud project controlled by PlanetScale, and the service consumer is the project(s) where your applications operate. Your applications connect to a private IP you allocate in your project, which is routed to your PlanetScale databases in the project that PlanetScale controls.
GCP PSC requires multiple components:
- A Private Service Connect Service Attachment deployed in the project that PlanetScale controls.
- A Private Service Connect Endpoint deployed in the project(s) that your applications operate in.
Once all components are operating correctly, the applications in the project with the endpoint configured will connect to the service attachment using private IP addresses instead of the publicly accessible endpoint.
Cross-region connectivity is not supported by Google Cloud for Private Service Connect. For example, if your PlanetScale databases are located in
us-central1 and your applications are located in
us-east4, then you cannot connect to them using Private Service Connect.
If you would like to initiate the process, please contact your Solutions Engineer and let them know the Google Cloud project ID(s) in which you intend to create Private Service Connect endpoints. If you need to add additional projects to the allowlist, please get in touch with your Solutions Engineer.
Google Cloud project IDs cannot be changed after initial setup. Please be sure to choose an ID that you will continue to use.
Once they receive your project IDs and forward them to the team responsible for provisioning your deployment, the team will provide them (and ultimately you) with the Private Service Connect Service Attachment URI, which will be in the form
If you use VPC Service Controls in your VPC, you must ensure that the policy allows access to the PlanetScale-controlled project.
Your Solutions Engineer will provide you the following information when the setup is complete:
Only proceed to the next steps once a PlanetScale Solutions Engineer has provided the
Refer to Google Cloud's Access managed services using Private Service Connect for more information on consuming services via Private Service Connect. This document covers additional details not covered here, including the IAM roles required to perform the configuration process.
The following steps are an example of establishing a Private Service Connect endpoint in the GCP Console.
Obtain the Private Service Connect Attachment URI from your Solutions Engineer. It will be in the format:
Create a Private Service Connect Endpoint using the Attachment URI. In the GCP console, go to "Private Service Connect" page, select the "Connected endpoints" tab, and select the "Connect endpoint" button.
Add a Private Service Connect Endpoint with the following details:
- Target: Published Service. This is the
PSC_Link_URIprovided by your Solutions Engineer.
- Target Service: Paste the Private Service Connect Attachment URI from step 1.
- Name: Enter a name for this endpoint. Use the
PS_Regionvalue provided by your Solutions Engineer.
- Network and subnet: Select the network to create the endpoint in.
- Create and IP Address: Create a reserved IP address. This is the address your applications will connect to to access your PlanetScale databases. PlanetScale recommends using the
PS_Regionname for the name of the reserved IP address.
Then, add the endpoint.
You must provide the list of projects to your Solutions Engineer. Your endpoint will only function once they have PlanetScale added to the allowlist.
- The endpoint creation process will take a minute or two. When finished, select the endpoint and verify the status is Accepted.
Repeat steps 2-4 for each project you wish to connect to the Private Service Connect Attachment.
Next, you will set up a private Cloud DNS zone. This step may be optional. This step aims to make it possible to use the same PlanetScale connection strings and host names inside and outside of the project. When these host names are resolved inside the project, they will resolve to the IP address of the Private Service Connect Endpoint. When resolved anywhere else, they will resolve to the public IP address.
When connecting to the PlanetScale Private Service Connect Endpoint directly via IP address or an alternate host name, you may need to disable TLS verification due to host name mismatch.
- Create a private Cloud DNS zone. In the GCP console, go to the "Create a DNS zone" page.
- Zone type:
- Zone name:
- DNS Name:
- Network: Select all VPCs where this DNS zone should be available.
- Create DNS records. For each PlanetScale Private Service connect endpoint, create a DNS record with the following details by opening the zone's details page in the GCP Console.
- DNS name: Use the PS_Region value provided by your Solutions Engineer.
- IP Address: The reserved IP address assigned to the Private Service Connect Endpoint created in the first section of this document. You can also find this on the Private Service Connect page in the GCP Console.
Repeat steps 1-2 for each project you wish to connect to set up Private Cloud DNS for.