Skip to content

GCP

Run Hydrolix on your own Google Cloud (GCP) infrastructure with the Bring Your Own Cloud (BYOC) offering. This can provide cost savings over the standard Hydrolix Cloud offering. See the Hydrolix pricing page for more information.

Prepare your GCP project for deployment using the following steps:

  1. Enable required GCP APIs
  2. Grant the Hydrolix service account IAM (Identity and Access Management) roles in your project
  3. Provide your project ID and deployment region to Hydrolix

Prerequisites⚓︎

  • Shell access on a Unix-like system (macOS or Linux), or access to the GCP Console
  • The gcloud CLI (if using the command-line instructions that follow)
  • A GCP project with a billing account attached
  • The Owner role (roles/owner) on that project
  • Account and region information listed in the following table
Item Description Example
GCP Project ID Your Google Cloud project identifier my-company-hydrolix
Deployment region The GCP region for the Hydrolix deployment us-central1
Zone (optional) Availability zone in the region; defaults to a if omitted a

Enable required GCP APIs⚓︎

The following GCP APIs must be enabled in your project before deployment can begin. Run the following gcloud command, or enable them through the GCP Console (APIs & Services > Enable APIs).

Enable Required GCP APIs
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
gcloud services enable \
  container.googleapis.com \
  compute.googleapis.com \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  servicenetworking.googleapis.com \
  sqladmin.googleapis.com \
  sql-component.googleapis.com \
  storage.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  cloudtrace.googleapis.com \
  artifactregistry.googleapis.com \
  dns.googleapis.com \
  --project=<YOUR_GCP_PROJECT_ID>

Grant Hydrolix access⚓︎

Hydrolix will provide a service account email address. Grant it the following IAM roles in your project using the gcloud CLI:

Grant IAM Roles to Hydrolix Service Account
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HDX_SA="<SERVICE_ACCOUNT_EMAIL_PROVIDED_BY_HYDROLIX>"
PROJECT_ID="<YOUR_GCP_PROJECT_ID>"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/container.admin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/compute.viewer"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/cloudsql.admin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/storage.admin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/iam.serviceAccountAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/iam.securityAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/resourcemanager.projectIamAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/serviceusage.serviceUsageAdmin"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${HDX_SA}" --role="roles/servicenetworking.networksAdmin"

Alternatively, grant these roles through the GCP Console under IAM & Admin > IAM by adding the service account email as a principal with each of the following roles.

Role reference⚓︎

Role Purpose
roles/container.admin Create and manage the GKE cluster and node pools
roles/compute.networkAdmin Create VPC network, subnetwork, and firewall rules
roles/compute.viewer Read access to compute resources for status checks
roles/cloudsql.admin Create and manage the Cloud SQL PostgreSQL database
roles/storage.admin Create and manage GCS buckets for data storage
roles/iam.serviceAccountAdmin Create a per-cluster service account for Hydrolix workloads
roles/iam.serviceAccountUser Assign service accounts to cluster nodes and the database
roles/iam.securityAdmin Bind IAM roles to service accounts created during deployment
roles/resourcemanager.projectIamAdmin Set up Workload Identity bindings for secure pod authentication
roles/serviceusage.serviceUsageAdmin Verify that required GCP APIs are enabled
roles/servicenetworking.networksAdmin Set up private networking for the database

Send Hydrolix deployment details⚓︎

After completing the previous steps, send the GCP Project ID, deployment region, and zone from Prerequisites to Hydrolix Support.

What happens next⚓︎

Once access is granted, Hydrolix automatically creates and manages the following resources in your project:

  • Virtual Private Cloud (VPC) network and subnetwork: isolated networking for the cluster
  • Google Kubernetes Engine (GKE) cluster and node pools: Kubernetes cluster for running Hydrolix
  • Cloud SQL (PostgreSQL) instance: metadata database
  • Google Cloud Storage (GCS) buckets: data storage
  • Service accounts and Workload Identity: secure authentication between workloads and GCP services

No further action is needed from your team after completing the previous steps.

For information or assistance, contact Hydrolix support.