Skip to main content

Technical Setup

Identity-Aware Proxy Setup

Google Cloud Platform (GCP) provides the Identity-Aware Proxy (IAP) service to manage user access to web applications and resources hosted on Google Cloud.

To set up IAP:

  1. Create a project in GCP.
  2. Create an HTTPS Load Balancer.
    1. From Load Balancing, select From internet to my VMs or serverless services and Global HTTP(S) Load Balancer (classic).
    2. From Backend Configuration, create a Backend Service.
    3. Choose the corresponding Backend Type. If DataChat is deployed on Google Cloud, choose the appropriate backend type for the host(GCE, App Engine, etc.).
    4. Set the protocol to HTTPS.
    5. Save the backend for backend configuration. If using Internet Backend Endpoint Group:
      1. Under Host and Path Rules select Advanced mode, then edit the host and path rule to point to the created backend.
      2. Open the Add-on Action section, and set the Host Rewrite to the URL where the endpoint points to.
    6. Under Frontend Configuration, set up HTTP and HTTPS for the same IP address, then point a domain to this IP. You need a certificate for the HTTPS configuration. You can use an existing certificate from your domain, generate a new one, or use a Google-managed one.
    7. Save the load balancer.
  3. Enable IAP for the backend service you created before.
    1. Once enabled, click the three dots, then click Get JWT Audience Code.
    2. You can provide access to users by selecting Backend, then clicking Add Principal. Enter the email addresses of the users you would like to add, then select All roles > Cloud IAP > IAP-secured Web App User.

Network Configuration for Database Connectivity

When connecting an on-premises database to DataChat's SaaS platform, ensure the following network configurations are in place:

  1. Add DataChat IP for Read-Only Databases

    If you are working from DataChat's cloud platform, connecting to a read-only database that's behind a firewall might require you to add the following IP addresses to your firewall's allowlist to allow DataChat to access your database:

    • 18.116.2.110
    • 3.130.35.228
    • 34.123.95.244

    Work with your organization's IT team to configure your firewall's allowlist.

  2. SSL/TLS Requirements

    Your on-premises database must use an SSL certificate signed by a publicly recognized Certificate Authority (CA) for encrypted communication to work properly. If your database does not have a valid CA-signed SSL certificate, TLS-encrypted connections may not be possible.

    Some databases may support disabling encryption as an alternative, but this should only be considered after discussing your specific situation with your DataChat administrator.