Configure connections with network attachments (original) (raw)

BigQuery supports federated queries that let you send a query statement to external databases and get the result back as a temporary table. Federated queries use the BigQuery Connection API to establish a connection. This document shows you how to increase the security of this connection.

Because the connection connects directly to your database, you must allow traffic from Google Cloud to your database engine. To increase security, you should only allow traffic that comes from your BigQuery queries. This traffic restriction can be accomplished in one of two ways:

• By defining a static IP address that is used by a BigQuery connection and adding it to the firewall rules of the external data source.
• By creating a VPN between BigQuery and your internal infrastructure, and using it for your queries.

Both of these techniques are supported through the use ofnetwork attachments.

Before you begin

Grant Identity and Access Management (IAM) roles that give users the necessary permissions to perform each task in this document.

Required roles

To get the permissions that you need to configure a connection with network attachments, ask your administrator to grant you theCompute Admin (roles/compute.admin) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to configure a connection with network attachments. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to configure a connection with network attachments:

• compute.networkAttachments.get
• compute.networkAttachments.update

You might also be able to get these permissions with custom roles or other predefined roles.

For more information about IAM roles and permissions in BigQuery, seeBigQuery IAM roles and permissions.

Limitations

Connections with network attachments are subject to the following limitations:

• Network attachments are supported only forSAP Datasphere connections.
• For standard regions, network attachments must be located in the same region as the connection. For connections in the US multi-region, the network attachment must be located in the us-central1 region. For connections in theEU multi-region, the network attachment must be located in theeurope-west4 region.
• You can't make any changes to your network attachment after you create it. To configure anything in a new way, you need to recreate the network attachment.
• Network attachments can't be deleted unless the producer (BigQuery) deletes the allocated resources. To initiate the deletion process, you must contact BigQuery support.

Create a network attachment

When you create a connection for query federation, you can use the optional network attachment parameter, which points to a network attachment that provides connectivity to the network from which the connection to your database is established. You can create a network attachment by either defining a static IP address or creating a VPN. For either option, do the following:

1. If you don't already have one,create a VPC network and subnet.
2. If you want to create a network attachment by defining a static IP address,create a Cloud NAT gateway with a static IP address, using the network, region, and subnet that you created. If you want to create a network attachment by creating a VPN, create aVPN that is connected to your private network.
3. Create a network attachmentusing the network, region, and subnet that you created.
4. Optional: Depending on your organization's security policies, you might need to configure your Google Cloud firewall to allow egress bycreating a firewall rulewith the following settings:
   • Set Targets to All instances in the network.
   • Set Destination IPv4 ranges to the entire IP address range.
   • Set Specified protocols and ports to the port that is used by your database.
5. Configure your internal firewall to allow ingress from the static IP address that you created. This process varies by data source.
6. Create a connection, and include the name of the network attachment that you created.
7. Run any federated query to synchronize your project with the network attachment.

Your connection is now configured with a network attachment, and you can run federated queries.

Pricing

• Standardfederated query pricingapplies.
• Using VPC is subject to Virtual Private Cloud pricing.
• Using Cloud VPN is subject to Cloud VPN pricing.
• Using Cloud NAT is subject to Cloud NAT pricing.

What's next

• Learn about differentconnection types.
• Learn about managing connections.
• Learn about federated queries.