When you purchase a Teradata VantageCloud Enterprise instance on the Google Cloud Platform (GCP) as a managed service (VaaS), Teradata provisions your instance in its own project within a Teradata account on GCP.

This post presents a cheat sheet summarising the key elements of the network setup that you must choose to connect your VaaS instance on GCP with your account and the Google Cloud services Teradata supports for the connections. Additionally, you can find below an explanation of all of them.

Cheat Sheet for the Network options for VaaS on GCP

You can download a high-resolution Network cheat sheet for VaaS on GCP in a repository in my GitHub account.

Network components in detail

Google connectivity Options Teradata supports for VaaS

On Prem-to-Cloud connection

Google Cloud Interconnect

Cloud Interconnect extends an on-premises network to Google’s network through a highly available, low-latency connection. So it is Teradata’s recommended option. Furthermore, its performance is more predictable than a Virtual Private Network (VPN).

There are two different flavours of Interconnect:

• Dedicated Interconnect provides direct physical connections between on-premises and Google’s networks.
• Partner Interconnect connects on-premises and Google’s networks through a supported service provider.

Note that you must procure and own the Cloud Interconnect, not Teradata.

Furthermore, you must use the Interconnect with either VPC Network Peering or VPN for the Cloud-to-Cloud connection, as Google does not support cross-tenant Cloud Interconnect.

Note that Teradata supports a Direct Interconnect between your on-prem site and the VaaS account.

VPN

Cloud VPN securely connects an on-premises network to a Virtual Private Cloud (VPC) network through an IPsec (Internet Protocol security encrypted tunnel) VPN connection in a single region. A VPN Gateway encrypts the traffic between the two, and another VPN Gateway decrypts it. Thus, the VPN protects your data as it travels over the internet.

Actually, the VPN is the only connectivity method that is encrypted at the route level by default.

You can use a VPN for the On Prem-to-Cloud connection instead. However, remember that it has a lower bandwidth than an Interconnect, and its performance is less predictable.

A virtual private network (VPN) can connect on-premises networks to the cloud, but it can also connect different VPCs within the cloud, different cloud service providers, and two instances of Cloud VPN to each other.

You may also configure application-level encryption on top of the IPsec route-level encryption (e.g., TLS 1.2 encryption for TTU drivers).

On a separate note, a VPN allows bi-directional traffic, i.e., Teradata can initiate traffic over a Site-to-Site VPN into the customer network. You can secure your network by firewalling your site (on-prem data centre or GCP account).

Cloud-to-Cloud connection

Communicating the Teradata VaaS account with your GCP account is called the “handshake”, and it is your means to access your data, load more and consume it. Thus, this connection must:

1. Be secure,
2. Be fast and handle large amounts of data, and
3. Preserve the built-in parallelism in Vantage – Your workload will perform better by letting the database handle the workload. I.e., Teradata doesn’t support any connection option that sends the data to only one Enterprise gateway. The database, an MPP (Massively Parallel Processing) system, must balance the workload among all nodes.

VPC Network Peering

A Virtual Private Cloud (VPC) network is a virtual version of a physical network implemented inside Google’s production network. To create a VPC, Google Cloud uses its proprietary platform network virtualisation stack called Andromeda.

Google Cloud VPC Network Peering connects two VPC networks so that resources in each network can communicate. One of the benefits of VPC peering is network security: services are never exposed to the public Internet and deal with its associated risks.

Teradata recommends VPC Network Peering as the best performant and most secure option to connect your Google Cloud account with VaaS.

This option is the easiest to configure and support and works well with MPP databases.

Cloud VPN

Otherwise, you can also use a VPN for the handshake, even though it has lower bandwidth than VPC Network Peering again, and its performance is less predictable than VPC Network Peering.

See the VPN for the On prem-to-Cloud connection above for more details.

NOS Reads

You can read (and write) with VaaS from Google Cloud Storage through a Teradata feature called NOS (Native Object Storage) Reads (and Writes).

To access Cloud Storage, you have to use its APIs. The Cloud Storage API calls run through the public internet by default, protected with an HTTPS protocol.

To secure Cloud Storage connections, Teradata leverages Private Google Access to connect to Cloud Storage. Teradata configures the database’s virtual machines with internal IP addresses only (they don’t have public IPs) and has Public Google Access enabled.

Private Google Access means that when you call the Cloud Storage API from VaaS, the connection will use the Cloud Storage API endpoint over Google’s private network backbone. Thus, data never transfers through the public internet when you use NOS Reads and Writes from Teradata VantageCloud Enterprise. Note that Public Google Access protects the Cloud Storage API calls whether you access a Cloud Storage bucket in the same region as Enterprise or in a different one. However, if you access a bucket in another region, you will incur egress costs. You will also likely have a larger latency than when you access a bucket in the same region.

For your information, Google offers multiple options to route Cloud Storage traffic through its backbone instead of through the public Internet, including the one Teradata uses with VantageCloud — specifically, Private Google Access.

Incidentally, when you copy DSA Backups or Snapshots from a bucket within the Vantage account and another bucket, you also use Cloud Storage APIs. Therefore, the discussion in this section about where the traffic goes when you read from buckets also applies to this scenario. For example, when you use the Cross-Site and Cross-Region Restores.

Main security elements in VantageCloud architecture

In terms of security, there are five key aspects of VantageCloud architecture:

• Teradata configures the Compute Engine virtual machines that run the VantageCloud database with internal IP addresses only, i.e., they don’t have public IPs.
• These virtual machines’ subnets have Private Google Access enabled.
• NOS traffic initiated from these virtual machines goes to a Google Cloud API endpoint.
• With Private Google Access enabled, the Google Cloud API endpoint IP will resolve to an internal address.
• Since the source and target have private IPs, the data never traverses the internet gateway and remains within Google’s network.
• Teradata configures VantageCloud Enterprise to use the HTTPS call by default.

If you want to read and write data in NOS storage, you have all the details in the NOS Orange Book.

CIDR Ranges

CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses. For example, if we have 10.0.0.0/31, it represents an IP range where:

• 31 is a prefix we use to calculate the number of consecutive IPs.
• Range calculation: IPs: 10.0.0.0 and 10.0.0.1.

You must negotiate a CIDR range with Teradata to connect Vantage with your network. You can either provide an RFC 1918 CIDR range or ask Teradata to provide it (Teradata owns a large CIDR space which is not public). But before allocating a CIDR range, Teradata must confirm the size for a specific environment.

Consider that if you ask Teradata to provide the IPs, the Teradata CIDR Range could be publicly routable, even though it is privately routed over a VPC network peering connection or a VPN tunnel.

In any case, ensure that the IP addresses will never conflict with any other of your addresses.

Network & Encryption

All Teradata network connections can be encrypted. Some examples of connectivity encryption options are:

• Cross-organization VPN.
• Protocol transit encryption for SQL-E (Quality of Protection [QOP] or TTU v17.10 + TLS).
• All HTTP interfaces will be HTTPS (such as Viewpoint).
• If you encrypt VPC using TLS 1.2, you must use port 443 – instead of port 1025 for unencrypted VPC or encrypted VPC using Teradata generic encryption QoP.

Additionally, Google encrypts all data in transit and at rest from the Point of Presence onwards. Once in the cloud, all traffic between virtual machines within a VPC network and a peered VPC network is encrypted. Consequently, all traffic between the Google virtual machines where Teradata Vantage runs is enciphered, i.e., all BYNET traffic between the TPA virtual machines is automatically encrypted.

Furthermore, depending on the connection, there are default protections for data in transit. For example, we secure communications between the user and the Google Front End (GFE) using TLS.

The Teradata Clients (Teradata Tools and Utilities or TTUs) are not specific to any Cloud Service Provider. However, when you consider the security of your connections, remember that you can enable TLS on TTUs 17.10 and above. Moreover, you can enable Teradata generic encryption (256 bits) for TTUs 16.20 onwards.

On a separate note, you can use either Google-Manged or Customer-Managed Encryption Keys (CMEK) for encryption. If you choose CMEK, the keys are generated in one of your GCP projects. However, they will be used in a Teradata-owned GCP project, where the Vantage system will be provisioned per the contractual agreement for the VaaS service. To learn more about VantageCloud Enterprise’s encryption keys, read the post Teradata Enterprise: Ins and Outs of the Encryption Keys.

Other Service Cloud Providers

In this blog, you can also find cheat sheets to connect VantageCloud Enterprise as a Service on Azure or AWS accounts.

This article was updated on 12 July 2023 to add the section “Other Service Cloud Providers” and the link to the Azure cheat sheet.

This article was updated on 19 July 2023 to add the link to the post about the network options for VantageCloud Enterprise on AWS.

This post was updated on 25 September 2023 to revise the ports in the cheat sheet.

I updated this article again on 26 December 2023 to add a link to the post Teradata Enterprise: Ins and Outs of the Encryption Keys.