VPC peering and private link
Crunchy Bridge instances run in an isolated network or VPC (a logically isolated
Virtual Private Cloud). Your network is fully isolated from other customers and
from other teams within your account. By default your VPC is configured to be
publicly available with a firewall rule of 0.0.0.0/0
. It is recommended for
further security you setup specific firewall rules for your
environment's access only.
VPC peering
Crunchy Bridge supports VPC peering to enable your Crunchy Bridge cluster's VPC to communicate over a private network route with another VPC under your control.
Note that the firewall rules for a cluster apply to both public and private
(peered) traffic. If you enable VPC peering, and leave the firewall rules set to
the default of 0.0.0.0/0
, your database cluster will be accessible via public
IPs as well as the private network of the VPC peer. To fully secure your cluster
in a VPC peering arrangement, be sure to update the firewall rules to match the
private network address space of the peered VPC.
Note that peering is done per team, per network.
AWS and GCP VPC peering
You can create network peering connections inside the Crunchy Bridge dashboard in Team Settings -- Networks.
AWS
Input the VPC specific information that set up in your AWS account:
- AWS Account ID
- VPC Region
- VPC ID
After creating the peering connection, it must be accepted by the corresponding peer, and a route created for the Crunchy Bridge CIDR to route through the peering connection.
GCP
Input the VPC specific information for your GCP account:
- GCP Project ID
- GCP Network Name
After creating the peering connection in Crunchy Bridge, a corresponding peering connection must be created in the peered VPC.
- Project: crunchy-bridge
- VPC: n-
<network_id>
Once the peering is set up, it should be possible to connect to the cluster via
its internal DNS entry - It is the same as the public cluster DNS entry, only
beginning with an i.
instead of a p.
.
Azure peering
In order to configure VPC / VNET peering, please open a support ticket.
Private link
It is also possible to connect your Crunchy Bridge cluster to your private network using private link to each of the cloud providers, including AWS PrivateLink, GCP Private Service Connect, and Azure Private Link.
The private link feature is enabled per individual cluster on the cluster networking tab.
You will turn on the private link feature which will create a unique identifier. That unique identifier will then be input with the other resource you want to connect.
Note that firewall rules will remain in place for your cluster after a private link has been established. However, these do not impact the flow of traffic with private link. You may safely delete these firewall rules entirely if you do not wish your cluster to be accessible outside of a private link connection.
If you create a fork or a replica of a cluster that is configured to use private link, it will not automatically be connected in the same way.