GCS + Cloud Functions
Self-service setup with Terraform
Tunnel Agent
Lightweight agent in your VPC
Private Service Connect
Private endpoint, no public internet
VPC Peering
Direct network link between VPCs
Cloud VPN
Encrypted tunnel over the internet
Cloud Interconnect
Dedicated physical connection
Option 1: Export to GCS via Cloud Functions
RecommendedSelf-service
A Cloud Function runs inside your VPC via a Serverless VPC Access connector, queries Cloud SQL, converts results to Parquet, and writes them to GCS. BonData reads from GCS via its native S3-compatible integration or Google Cloud Storage.
- No firewall changes - the function connects via your VPC’s private network
- Zero DB performance impact - queries run on your schedule
- Database credentials never leave your GCP project
- Fully self-service - no coordination with BonData needed
Deploy with Terraform
Create abondata-cloudsql-export.tf file and fill in the variables at the top. This provisions the GCS bucket, Cloud Function, VPC connector, Cloud Scheduler job, and IAM in one apply.
Deploy
Connect GCS to BonData
Once data is flowing, connect BonData to the bucket:- In BonData, go to Integrations → Add Integration → Amazon S3
- Use GCS interoperability keys (S3-compatible) with the endpoint
https://storage.googleapis.com - Enter your bucket name and the prefix (default:
cloudsql-exports)
GCS is S3-compatible. Generate HMAC keys in the Cloud Storage Settings → Interoperability tab, then use them as Access Key ID / Secret Access Key in the BonData S3 integration.
Option 2: BonData Tunnel Agent
A lightweight Docker container that runs inside your VPC and creates a secure outbound tunnel to BonData. Once running, BonData can query your database directly through the encrypted connection - no inbound firewall rules, no VPN, no public exposure.Get started with the Tunnel Agent
Contact our team to provision your tunnel token and walk through deployment for your environment.
Option 3: Private Service Connect
Google Private Service Connect creates a private endpoint in your VPC that routes traffic to BonData without it ever crossing the public internet. Traffic stays entirely within the Google network. Best for: Organizations with strict compliance requirements (HIPAA, SOC 2) that prohibit any data traversal over the public internet, even when encrypted. Private Service Connect provides the strongest network-level isolation without the complexity of VPC Peering or VPN. How it works:- BonData publishes a Private Service Connect service
- You create a forwarding rule and endpoint in your VPC pointing to that service
- Your Cloud SQL traffic flows privately through Google’s backbone - no NAT, no public IPs
Set up Private Service Connect
Contact our team to get BonData’s service attachment and configure Private Service Connect for your project.
Option 4: VPC Network Peering
VPC Network Peering creates a direct network route between your VPC and BonData’s VPC, allowing private IP communication across projects. Best for: Teams that want a simple, low-cost network link. VPC Peering on GCP has no per-hour charge, supports full-bandwidth communication, and works across projects and organizations. How it works:- A peering connection is established between your VPC network and BonData’s VPC network
- Routes are automatically exchanged (or custom routes are exported)
- Your Cloud SQL authorized networks are updated to allow connections from BonData’s IP range
GCP VPC Peering supports cross-project and cross-organization peering. CIDR ranges must not overlap.
Set up VPC Peering
Contact our team to exchange VPC details and coordinate the peering connection.
Option 5: Cloud VPN
Google Cloud VPN creates an encrypted IPsec tunnel over the public internet between your network and BonData’s infrastructure. Best for: Organizations that already have VPN infrastructure or need to connect from on-premises networks. Also useful when VPC Peering isn’t possible due to overlapping CIDR ranges or cross-cloud connectivity needs. How it works:- A Cloud VPN gateway is created in your VPC
- An IPsec tunnel is established between your gateway and BonData’s endpoint
- All traffic is encrypted and routed through the tunnel
- HA VPN provides 99.99% availability with dual tunnels
Set up Cloud VPN
Contact our team to exchange gateway details and configure the VPN tunnel.
Option 6: Cloud Interconnect
Google Cloud Interconnect provides a dedicated physical network connection (10 Gbps or 100 Gbps) between your infrastructure and BonData, bypassing the public internet entirely. Best for: Enterprise environments with very high data volumes, strict latency requirements, or regulatory mandates for dedicated connectivity. Dedicated Interconnect provides the most consistent throughput and lowest latency of any option. Partner Interconnect is available for smaller bandwidth needs. How it works:- A physical cross-connect is established at a Google colocation facility (Dedicated) or through a supported partner (Partner)
- A VLAN attachment routes traffic between your network and BonData
- Traffic never touches the public internet - ideal for large-scale, continuous data sync
Dedicated Interconnect typically takes 2-4 weeks to provision. Partner Interconnect can be faster depending on the provider.
Set up Cloud Interconnect
Contact our team to discuss your throughput requirements and coordinate the connection.