Connect out from SingleStore Helios Workspaces to Private Networks/Services via Google Private Service Connect

For outbound connections, you'll send the service attachment to SingleStore. You'll also receive a project name from SingleStore so that you can whitelist the project while creating the service.

To create outbound connections from SingleStore Helios to private networks/services (not accessible from the Internet, like Kafka) for tasks like ingesting data via pipelines perform the following tasks:

  1. Obtain a project name from SingleStore.

  2. Create a Network Load Balancer (NLB).

  3. Publish the Service.

  4. Send the Service Attachment to SingleStore.

Obtain a Project Name from SingleStore

Contact SingleStore Customer Support (see Support FAQ) and obtain a project name for the service you are going to create. Provide the following information in the support ticket:

  • Workspace ID. SingleStore can only process the connection request when your workspace is in the Active state.

  • Region details

  • Request a project name from SingleStore

  • In the support ticket, specify that the request is for outbound connection

You'll need to whitelist this project name while creating the service later.

Create a Network Load Balancer

  1. In the GCP console, select Networking > Networking Services > Load Balancing > Create load balancer.

  2. Under TCP Load Balancing, select Start configuration.

  3. Under Internet facing or internal only, select Only between my VMs and Single region only.

  4. Under Backend type, select Backend Service. Select Continue.

  5. On the New TCP load balancer screen, enter a Name for the Network Load Balancer.

  6. Select Backend configuration, enter the Region and Network information, and then add your service's Instance group.

    Note

    If you do not have an Instance group yet, but you do have a running service, select GCP Console > Compute Engine > Instance groups > Create Instance Groups to create an instance group. If you already have an instance, but do not have a group, you may want to create an unmanaged group to which you can add existing instances. See Creating groups to create an unmanaged instance group.

  7. Fill out the Backend and Frontend configurations and then click Create.

For more NLB configuration related information, see Configuring Load Balancer.

Once you have an NLB, you can test it.  An easy test would be to use curl with the Network Load Balancer's IP and Port from within the VPC to verify that the connection is established.

$ curl <ADDRESS_OF_THE_NLB>:<port>

Publish the Service

When you publish a service, you create a service attachment. Send the Service attachment information to SingleStore. You will also need to whitelist the project that SingleStore sent you earlier.

  1. In the GCP Console, select Networking > Network Services > Private Service Connect > Published Services > Publish Service.

  2. Under Load balancer type, select Internal TCP/UDP Load Balancer.

  3. Add the project name you received from SingleStore to the whitelist for your Service.

  4. Enter the necessary details and create a subnet if needed. See Publish a Service for more information. Do NOT enable Use Proxy Protocol.

  5. Select Add service.

For more information, see Publish Services using Private Service Connect.

Send the Service Attachment to SingleStore

Contact SingleStore Support and provide the Service Attachment. Follow these steps:

  1. On the Google Cloud console, go to the Private Service Connect page.

  2. On the Published Service tab, select the service you just created. Open the Private Service Connect service details screen.

  3. Send the Service attachment information to SingleStore Support. Service attachment names usually have the following format: projects/<SERVICE_PROJECT>/regions/<REGION>/serviceAttachments/<SERVICE_NAME>.

Last modified: February 28, 2024

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK