docs-mintlify/admin/deployment/dedicated/gcp/private-service-connect.mdx
This page covers backend connectivity — Cube reaching into your network to query data sources, auth providers, BI APIs targeted by Semantic Layer Sync, and other upstream services. See Backend and frontend connectivity for the full picture. For frontend connectivity (exposing Cube's APIs to your applications, browsers, BI tools, and embedded analytics clients), see Private API Connectivity on AWS; the equivalent pattern is available on GCP on request.
</Note>Private Service Connect (PSC) provides private connectivity between VPC networks in different projects or organizations, without VPC peering or exposing your traffic to the public internet. To set up a PSC connection between Cube's Dedicated Infrastructure and your own VPC, you'll need to publish a Service Attachment, share its details with the Cube team, and approve the incoming connection request.
There are two common scenarios for preparing the Service Attachment:
In the case of your own infrastructure, follow the official GCP documentation to publish a Service Attachment that points at an internal passthrough or proxy Network Load Balancer in front of your data source.
If your data source is hosted in a third-party infrastructure, follow the vendor's documentation for creating and managing a Service Attachment.
PSC service attachments can restrict which consumer projects are allowed to
create a PSC endpoint against them. Cube's PSC consumer project is
cube-cloud-dedicated.
In the GCP Console, go to Network services → Private Service Connect →
Published services → <your service> and add cube-cloud-dedicated to
Accepted projects. For faster connection establishment, you can also
add the same project to the auto-accept list so the connection is
approved automatically when Cube initiates it.
cube-cloud-dedicated is the GCP project Cube uses to host Dedicated
Infrastructure PSC endpoints. Adding it to your accepted-projects list
authorizes Cube to create a private endpoint against your Service
Attachment; nothing else in Cube's GCP estate gains access to your network.
To request establishing a PSC connection, please share the following information with the Cube team:
projects/<your-project>/regions/<region>/serviceAttachments/<name>)How your data source is addressed inside Cube depends on whether it speaks TLS:
sslmode=require, etc.), share
the DNS name(s) the certificate is issued for — typically the same
hostname your in-network clients already use to reach it. Cube creates
internal DNS overrides inside the Dedicated Infrastructure so that the
same hostname resolves to the PSC endpoint. Keeping the original hostname
is what preserves TLS validity: the certificate's CN/SAN keeps matching
what Cube dials.The approval flow depends on how your Service Attachment is configured:
cube-cloud-dedicated to the auto-accept
list, the connection is approved automatically upon creation and no
further action is required.Once the connection is established, you can access your data source by addressing it via the DNS name(s) you supplied (TLS case) or the internal endpoint hostname returned to you by the Cube team (non-TLS case).
Private Service Connect is available in all GCP commercial regions where Dedicated Infrastructure can be provisioned. GCP regions in mainland China (serviced by partner providers) are not supported.