This feature is only available for cloud-prem deployments.
Overview
Glean on GCP can connect to your on-premises or cloud-based datasources using private networking. This allows Glean to securely crawl private services within your network without exposing them to the public internet. Glean uses a transit VPC to minimize IP address conflicts with your network and reduce infrastructure exposure.Connectivity methods
| Method | Use when | Deployment speed | Tooling maturity |
|---|---|---|---|
| VPC peering | Your datasources are on GCP | Fast | Mature |
| Site-to-site VPN | Your datasources are on AWS, Azure, or on-premises | Fast | Mature |
| Private Service Connect | You need service-level isolation and fine-grained access control | Slow | Newer |
VPC peering
Direct network connection between your GCP VPC and Glean’s transit VPC. Architecture diagram coming soon. Contact your Glean representative for detailed network diagrams.How it works
Your VPC peers with Glean’s transit VPC, which peers with Glean’s default VPC. Traffic flows privately through these peering connections for both crawler access and webhook delivery.What you need to provide
- GCP project ID
- VPC network name (format:
projects/{project}/global/networks/{network}) - VPC CIDR ranges (must not overlap with 10.1.0.0/16)
- Datasource hostnames/IPs that Glean needs to access
Configuration notes
- Requires firewall rules to allow traffic from Glean’s transit VPC CIDR (provided by Glean)
- Best performance and lowest latency
- Cost-effective (no gateway fees)
- Limited to GCP-to-GCP connectivity
Site-to-site VPN
Encrypted IPsec tunnel between your network and Glean’s GCP environment. Architecture diagram coming soon. Contact your Glean representative for detailed network diagrams.How it works
IPsec VPN tunnel connects your VPN gateway to Glean’s Cloud VPN gateway. Glean uses a /29 CIDR range (provided by you) for the transit VPC. All traffic is encrypted in transit.What you need to provide
- VPN gateway public IP address
- IKE version (v1 or v2) - IKE v2 recommended
- Pre-shared key (generate a strong 32+ character key)
- Dedicated /29 CIDR range for Glean’s transit VPC (e.g., 10.99.0.0/29)
- Must not overlap with your networks or 10.1.0.0/16
- Routes to advertise (networks where datasources reside)
- Datasource hostnames/IPs that Glean needs to access
Configuration notes
- Works with any cloud provider (AWS, Azure, GCP) or on-premises datacenter
- Higher latency than VPC peering due to VPN gateway hop
- VPN gateway and data transfer costs apply
- Supports static routing or BGP (GCP-to-GCP only)
Private Service Connect
Service-level isolation using GCP’s Private Service Connect producer/consumer model. Architecture diagram coming soon. Contact your Glean representative for detailed network diagrams.How it works
PSC requires two separate configurations: For webhooks (Customer → Glean):- Glean creates a PSC producer (publishes Internal LB)
- You create a PSC consumer endpoint in your VPC
- Your datasources send webhooks to
<deployment>-internal-psc.glean.com
- You create a PSC producer (publish datasources via Internal LB)
- Glean creates PSC consumer endpoint(s)
- Glean crawlers access your datasources through consumer endpoints
What you need to provide
For webhook setup:- GCP project ID
- Preferred region for PSC endpoint
- Service attachment ID after creating your PSC producer
- Format:
projects/{project}/regions/{region}/serviceAttachments/{name}
- Format:
- Glean project ID added to trusted consumers (Glean provides this)
Configuration steps
Webhook setup (Your network → Glean)
Webhook setup (Your network → Glean)
After receiving Glean’s service attachment ID:
- Reserve a static internal IP in your VPC (see GCP documentation)
- Navigate to VPC Network → Private Service Connect → Connected Endpoints
- Click “Connect Endpoint” and enter Glean’s service attachment ID
- Configure Cloud DNS private zone:
<deployment>-internal-psc.glean.com→ your consumer IP- Replace
<deployment>with your specific deployment identifier provided by Glean.
- Replace
- Test connectivity:
curl https://<deployment>-internal-psc.glean.com/health
Crawler setup (Glean → Your datasources)
Crawler setup (Glean → Your datasources)
- Create Internal Load Balancer pointing to your datasources (if not existing)
- Allocate a /24 subnet for PSC NAT (e.g., 10.100.250.0/24)
- Navigate to VPC Network → Private Service Connect → Published Services
- Create service attachment:
- Target: Your Internal Load Balancer
- Subnet: The /24 subnet allocated above
- Add Glean’s project ID to trusted projects
- Provide service attachment ID to Glean
Configuration notes
- Requires GCP-to-GCP connectivity
- Fine-grained access control via project allowlisting
- More manual configuration than peering/VPN
- Service-level isolation without exposing entire VPC
Security & network details
Encryption & isolation
- VPC peering: Traffic uses GCP’s internal network encryption
- VPN: IPsec tunnel encryption with IKE v1/v2
- PSC: Traffic stays within Google’s private network
Access control
- VPC peering/VPN: Firewall rules control connectivity
- PSC: Project allowlists provide explicit trust model
Glean network ranges
Reserved CIDR:- 10.1.0.0/16 - Glean default VPC (do not use this range)
- VPC peering: Avoid overlap with 10.1.0.0/16
- VPN: Allocate /29 for transit VPC (must not overlap with 10.1.0.0/16 or your networks)
- PSC: Allocate /24 for PSC NAT
Firewall ports
Ensure firewall rules allow Glean to access:- Port 443 (HTTPS) - Most datasources
- Port 80, 8080 (HTTP) - Some internal applications
- Custom ports - Work with Glean to identify specific requirements
Implementation process
1. Choose your method
Use the comparison table above based on where your datasources are hosted.2. Prepare information
Gather the required information listed in your chosen method section above.3. Contact Glean
Reach out to your Glean Customer Success or Solutions Engineering team with:- Chosen connectivity method
- Required information from step 2
- Timeline and compliance requirements
- Technical point of contact (name, email, role)
4. Deploy & validate
Glean will:- Configure Glean infrastructure (VPN gateway, peering request, or PSC producer)
- Provide connection details (IP addresses, service attachment IDs, etc.)
- Coordinate connectivity testing
- Enable datasource crawlers after validation
- Monitor initial crawl
Support
- Technical Documentation: GCP Cloud Prem FAQ
- Network Issues: Contact your Glean Solutions Engineer
- Security Questions: [email protected]
- General Support: [email protected]