Merge pull request #2898 from ClickHouse/gcp-psc

gingerwizard · web-flow · commit 79673a6a86b0 · 2024-12-12T17:27:54.000Z
[AWS PL/GCP PSC] cross-region notes
diff --git a/docs/en/cloud/security/aws-privatelink.md b/docs/en/cloud/security/aws-privatelink.md
@@ -8,6 +8,9 @@ slug: /en/manage/security/aws-privatelink
 
 You can use [AWS PrivateLink](https://aws.amazon.com/privatelink/) to provide connectivity between VPCs, AWS services, your on-premises systems, and ClickHouse Cloud without having your traffic go across the internet. This document describes how to connect to ClickHouse Cloud using AWS PrivateLink.  To disable access to your ClickHouse Cloud services from addresses other than AWS PrivateLink addresses use ClickHouse Cloud [IP Access Lists](https://clickhouse.com/docs/en/cloud/security/setting-ip-filters).
 
+:::note
+ClickHouse Cloud currently does not support [cross-region PrivateLink](https://aws.amazon.com/about-aws/whats-new/2024/11/aws-privatelink-across-region-connectivity/). However, you can [connect to PrivateLink using VPC peering](https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/). For more information and configuration guidance, please refer to AWS documentation.
+
 :::note Only available in production environments
 AWS PrivateLink is only available in ClickHouse Cloud Production services. Development services are not supported.
 :::
diff --git a/docs/en/cloud/security/gcp-private-service-connect.md b/docs/en/cloud/security/gcp-private-service-connect.md
@@ -21,7 +21,14 @@ By default, a ClickHouse service is not available over a Private Service connect
 GCP Private Service Connect can be enabled only on ClickHouse Cloud Production services
 :::
 
-Cross-region connectivity is not supported. Producer and consumer regions should be the same. You will be able to connect from other regions within your VPC if you enable Global access on the PSC level (see below).
+Cross-region connectivity is not supported. The producer and consumer regions must be the same. However, you can connect from other regions within your VPC by enabling [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) at the Private Service Connect (PSC) level.
+
+:::note
+Important considerations for using Private Service Connect Global Access:
+1. Regions utilizing Global Access must belong to the same VPC.
+2. Global Access must be explicitly enabled at the PSC level (refer to the screenshot below).
+3. Ensure that your firewall settings do not block access to PSC from other regions.
+4. Be aware that you may incur GCP inter-region data transfer charges.
 
 The process is split into four steps:
 
