Network connectivity methods

To use Datastream to create a stream from the source database to the destination, you must establish connectivity to the source database. Use the information in the following table to help you decide which method works best for you for your specific workload.

Network connectivity method

Description

Things to consider

IP allowlist

Works by configuring the source database server to allow incoming connections from Datastream's external IP addresses. To find out the IP addresses for your regions, see IP allowlists and regions .

The source database is exposed to a public IP address.
The connection isn't encrypted by default. SSL must be enabled on the source database to encrypt the connection.
Configuring the firewall may require assistance from the IT department.

Forward SSH tunnel

Establish an encrypted connection over public networks between Datastream and the source, through a forward-SSH tunnel.

Limited bandwidth
You must set up and maintain the bastion host.

Private Service Connect interfaces

Works by creating a private connectivity configuration . Datastream uses this configuration to communicate with the data source over a private network. This communication happens through a network attachment set up in the customer VPC network.

Requires setting up a network attachment and adjusting firewall rules.
You can't migrate existing private connectivity configurations to Private Service Connect interfaces.
You can't change the network attachment after you create your Private Service Connect interface connection.
Allowlisting incoming connections from the Datastream IP addresses is available only on a project ID basis.

VPC peering

Requires a private network connection (VPN, Interconnect, etc.) between the database and Google Cloud.

What's next

Learn more about IP allowlists .
Learn more about Forward SSH tunnel .
Learn more about Private Service Connect interfaces .
Learn more about VPC peering .