Documentation Index
Fetch the complete documentation index at: https://docs.cube.dev/llms.txt
Use this file to discover all available pages before exploring further.
This page covers backend connectivity — Cube reaching into your network to
query data sources, auth providers, BI APIs targeted by Semantic Layer Sync,
and other upstream services. See
Backend and frontend connectivity for the full picture.
For frontend connectivity (exposing Cube’s APIs to your applications,
browsers, BI tools, and embedded analytics clients), see
Private API Connectivity on AWS; the
equivalent pattern is available on GCP on request.
Preparing the Service Attachment
There are two common scenarios for preparing the Service Attachment:- Connecting to a service in your GCP infrastructure
- Connecting to a service provided by a third party such as Snowflake, Databricks, Confluent Cloud, etc.
Allowing the Cube consumer project
PSC service attachments can restrict which consumer projects are allowed to create a PSC endpoint against them. Cube’s PSC consumer project iscube-cloud-dedicated.
In the GCP Console, go to Network services → Private Service Connect →
Published services → <your service> and add cube-cloud-dedicated to
Accepted projects. For faster connection establishment, you can also
add the same project to the auto-accept list so the connection is
approved automatically when Cube initiates it.
cube-cloud-dedicated is the GCP project Cube uses to host Dedicated
Infrastructure PSC endpoints. Adding it to your accepted-projects list
authorizes Cube to create a private endpoint against your Service
Attachment; nothing else in Cube’s GCP estate gains access to your network.Gathering required information
To request establishing a PSC connection, please share the following information with the Cube team:- Service Attachment URI (such as
projects/<your-project>/regions/<region>/serviceAttachments/<name>) - Reference Name for the record (such as “Snowflake-prod” or “clickhouse-dev”)
- Ports: a list of ports that will be accessed through this connection
- DNS Name(s): see DNS and TLS below
- Cube Region: PSC requires Cube to be hosted on Dedicated Infrastructure. Specify which Cube Region should host your Dedicated Infrastructure.
DNS and TLS
How your data source is addressed inside Cube depends on whether it speaks TLS:- If the service uses TLS (HTTPS, JDBC
sslmode=require, etc.), share the DNS name(s) the certificate is issued for — typically the same hostname your in-network clients already use to reach it. Cube creates internal DNS overrides inside the Dedicated Infrastructure so that the same hostname resolves to the PSC endpoint. Keeping the original hostname is what preserves TLS validity: the certificate’s CN/SAN keeps matching what Cube dials. - If the service does not use TLS and you don’t supply a DNS name, the Cube team will share back an internal endpoint hostname that you can configure as the upstream when you wire the connection into Cube.
Accepting the connection
The approval flow depends on how your Service Attachment is configured:- Manual acceptance. Cube will notify you once the connection request has been sent. Approve it in the GCP Console under Network services → Private Service Connect → Published services → <your service> → Connected endpoints, then select the pending connection and click Accept.
- Auto-accept. If you added
cube-cloud-dedicatedto the auto-accept list, the connection is approved automatically upon creation and no further action is required.