clickhouse-docs icon indicating copy to clipboard operation
clickhouse-docs copied to clipboard

Published 20 hours ago verified publisher icon ClickHouse

Update GCP/AWS/Azure docs for PSC and PL to clarify how to enable global access

Open aashishkohli opened this issue 1 year ago • 2 comments

Enabling global access works slightly differently for each CSP over private link or private services connect. The scenario is that customers want to access the ClickHouse Cloud service from one region from one or more other regions.

We currently mention this very briefly in our GCP PSC docs: https://clickhouse.com/docs/en/manage/security/gcp-private-service-connect

Cross-region connectivity is not supported. Producer and consumer regions should be the same. You will be able to connect from other regions within your VPC if you enable Global access on the PSC level (see below).

We should reword this to state:

  1. Cross-region connectivity is not supported by default. Producer and consumer regions should be the same.
  2. To connect from other regions you will need to do the following:
  • All regions where you want to connect from will need to be part of the same VPC
  • You will need to enable Global Access at the PSC level (see screenshot below)
  • Ensure that there are no other restrictions on your side (firewalls etc.) so traffic can flow between the 2 regions
  • You might also incur GCP inter region data transfer charges

Similar to GCP, we need to update docs for Azure: https://clickhouse.com/docs/en/cloud/security/azure-privatelink

  • Azure allows cross region connectivity by allowing multiple PL connections to the same service.

And for AWS: https://clickhouse.com/docs/en/manage/security/aws-privatelink

  • AWS requires VPC peering for this to work, but the steps are essentially the same.

aashishkohli avatar Aug 05 '24 23:08 aashishkohli

@tsolodov - submitting issue to update docs as discussed earlier today. Can you please review / update as needed?

Let's work with @justindeguzman to update all 3 pages.

aashishkohli avatar Aug 05 '24 23:08 aashishkohli

sure, will do! Thank you!

tsolodov avatar Aug 06 '24 00:08 tsolodov

AWS does support multi-regional access, but it's very limited: https://github.com/ClickHouse/data-plane-application/issues/15743. I would wait till they lift limits.

tsolodov avatar Dec 12 '24 16:12 tsolodov

Similar to GCP, we need to update docs for Azure: https://clickhouse.com/docs/en/cloud/security/azure-privatelink

We do mention it supports cross-region connection. I think this should be enough:

Unlike AWS and GCP, Azure supports cross-region connectivity via Private Link. This enables you to establish connections between VNETs located in different regions where you have ClickHouse services deployed.

tsolodov avatar Dec 12 '24 16:12 tsolodov

AWS requires VPC peering for this to work, but the steps are essentially the same.

yes it can be done, but based on previous experience we should not provide detailed guidance, we should only mention it can be done using VPC peering and redirect customers to AWS docs.

tsolodov avatar Dec 12 '24 16:12 tsolodov

https://github.com/ClickHouse/clickhouse-docs/pull/2898 to update AWS/GCP docs

tsolodov avatar Dec 12 '24 17:12 tsolodov