GCP Private Service Connect to Neo4j Aura (Terraform)

This Terraform config provisions a VPC, subnets, a Private Service Connect (PSC) consumer endpoint to Aura, a Cloud DNS Response Policy override, and a small test VM to validate connectivity.

Prerequisites

• Google Cloud project with billing enabled
• gcloud CLI installed and authenticated
• Terraform >= 1.6

Auth setup

Authenticate using Application Default Credentials:

gcloud auth application-default login
gcloud config set project <YOUR_PROJECT_ID>

Alternatively, export a service account key via GOOGLE_APPLICATION_CREDENTIALS.

Files

• versions.tf: Pinned Terraform provider versions
• providers.tf: Google providers configured from variables
• variables.tf: Inputs such as project_id, region, subnets, psc_subnet_name, aura_service_attachment, aura_fqdn, and test VM settings
• main.tf: All resources (network, PSC, DNS, firewall, test VM)
• outputs.tf: Useful outputs (subnets, VPC, test VM IPs)

What each resource does (at a glance)

• google_project_service.compute_api / google_project_service.dns_api: Enables Compute and Cloud DNS APIs for this project.
• google_compute_network.vpc: Creates a custom VPC; no auto subnets.
• google_compute_subnetwork.subnets: Creates subnets from the subnets map. Defaults to enabling Private Google Access.
• google_compute_address.psc_ip: Reserves an INTERNAL regional IP from the chosen subnet with purpose = GCE_ENDPOINT for PSC.
• google_compute_forwarding_rule.psc_endpoint: Creates the PSC consumer endpoint to Aura using the service attachment URL; uses the reserved PSC IP. Do not set load_balancing_scheme.
• google_dns_response_policy.neo4j_policy: A Response Policy bound to the VPC; used to override DNS for Aura inside the VPC.
• google_dns_response_policy_rule.neo4j_rule: Local Data A record mapping aura_fqdn to the PSC IP so VMs in the VPC resolve the Aura hostname privately.
• google_compute_firewall.allow_ssh: Permits SSH to the test VM from ssh_source_ranges (tighten in production).
• data.google_compute_image.debian: Resolves the latest Debian 12 image.
• google_compute_instance.test_vm: Small Debian e2-micro VM in the selected subnet for connectivity tests (installs curl/dig/nc).

Key variables (set in terraform.tfvars)

project_id              = "<YOUR_PROJECT_ID>"
region                  = "europe-west1"              # must match Aura service attachment region
network_name            = "psc-aura"

subnets = {
  subnet-a = {
    ip_cidr_range = "10.10.0.0/24"
    region        = "europe-west1"
  }
  subnet-b = {
    ip_cidr_range = "10.10.1.0/24"
    region        = "europe-west1"
  }
}

psc_subnet_name         = "subnet-a"                   # subnet key to host the PSC IP
aura_service_attachment = "https://www.googleapis.com/compute/v1/projects/<ni-production-000>/regions/europe-west1/serviceAttachments/db-ingress-private"
aura_fqdn               = "*.production-orch-<id>.neo4j.io."

# optional test VM settings
test_vm_name            = "psc-test"
test_vm_zone            = "europe-west1-b"
test_vm_machine_type    = "e2-micro"
test_vm_subnet_name     = "subnet-a"
ssh_source_ranges       = ["0.0.0.0/0"]

Deploy

terraform init -upgrade
terraform plan
terraform apply -auto-approve

Validate

1. Check PSC status and IP:

gcloud compute forwarding-rules describe psc-endpoint-aura \
  --region europe-west1 \
  --format='value(pscConnectionStatus,IPAddress)'
# Expect: ACCEPTED  <10.x.x.x>

2. Connect to the test VM (SSH):

gcloud compute ssh psc-test --zone=europe-west1-b

3. From the VM, confirm DNS override and connectivity:

dig +short <database>.production-orch-<id>.neo4j.io         # should resolve to the PSC IP (10.x)
nc -vz <database>.production-orch-<id>.neo4j.io 443         # HTTPS
nc -vz <database>.production-orch-<id>.neo4j.io 7687        # Neo4j Bolt

If you have a specific Aura instance hostname like <database>.production-orch-<id>.neo4j.io, you can test TLS/SNI directly:

curl -svk https://<database>.production-orch-<id>.neo4j.io/ | head

Tip: If subdomains like <database>.production-orch-<id>.neo4j.io don’t resolve, add an additional response policy rule for the wildcard *.production-orch-<id>.neo4j.io pointing to the same PSC IP.

Clean up

terraform destroy -auto-approve

References

• Private Service Connect overview: https://cloud.google.com/vpc/docs/private-service-connect
• Connecting to published services (PSC consumer endpoints): https://cloud.google.com/vpc/docs/private-service-connect#connect-endpoints
• PSC for Google APIs and services (global pattern): https://cloud.google.com/vpc/docs/configure-private-service-connect-apis
• Compute Addresses REST (purpose values incl. GCE_ENDPOINT): https://cloud.google.com/compute/docs/reference/rest/v1/addresses
• gcloud: create address (purpose flags including GCE_ENDPOINT / PRIVATE_SERVICE_CONNECT): https://cloud.google.com/sdk/gcloud/reference/compute/addresses/create
• Terraform: regional forwarding rule (PSC consumer): https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule
• Terraform: global forwarding rule (PSC to Google APIs): https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule
• Terraform: address resource: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address
• Terraform: DNS response policy: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_response_policy
• Terraform: DNS response policy rule: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_response_policy_rule