{"id":608,"date":"2026-04-14T17:40:06","date_gmt":"2026-04-14T17:40:06","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-integration-connectors-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development\/"},"modified":"2026-04-14T17:40:06","modified_gmt":"2026-04-14T17:40:06","slug":"google-cloud-integration-connectors-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-integration-connectors-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development\/","title":{"rendered":"Google Cloud Integration Connectors Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Application development"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Application development<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p><strong>What this service is<\/strong><br\/>\nIntegration Connectors is a managed Google Cloud service that provides prebuilt connectors and managed \u201cconnections\u201d to common SaaS applications and enterprise data sources (for example CRMs, ITSM tools, databases, and other business systems). It standardizes how you configure connectivity, authentication, and network access so that your integrations can focus on business logic instead of custom plumbing.<\/p>\n\n\n\n<p><strong>Simple explanation (one paragraph)<\/strong><br\/>\nIf your application needs to talk to systems like Salesforce, ServiceNow, or a PostgreSQL database, Integration Connectors lets you create a connection once (with the right credentials and networking), then reuse it across integrations\u2014without writing and operating custom connector code.<\/p>\n\n\n\n<p><strong>Technical explanation (one paragraph)<\/strong><br\/>\nIntegration Connectors exposes Google-managed connector runtimes and APIs for creating <em>connection resources<\/em> in a specific Google Cloud region. A connection binds a connector type\/version to an endpoint, identity (credentials), and networking configuration (public internet, VPC\/private connectivity, or on\u2011prem connectivity via an agent). These connections are then used by Google Cloud integration\/orchestration services\u2014most commonly <strong>Application Integration<\/strong>\u2014to perform actions against the target system, with centralized policy, auditing, and operations.<\/p>\n\n\n\n<p><strong>What problem it solves<\/strong><br\/>\nTeams repeatedly rebuild the same integration foundations: authentication flows, secret storage, retries\/timeouts, network paths into private systems, and connector upgrades. Integration Connectors reduces this toil by offering managed connectivity patterns and reusable connection artifacts\u2014improving delivery speed, operational consistency, and security posture for application development and enterprise integration.<\/p>\n\n\n\n<blockquote>\n<p>Service name note: <strong>Integration Connectors<\/strong> is the current Google Cloud product name as of this writing. Google Cloud\u2019s integration portfolio also includes <strong>Application Integration<\/strong> and other services; this tutorial focuses specifically on <strong>Integration Connectors<\/strong> and how it is typically used.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Integration Connectors?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Integration Connectors is designed to provide <strong>managed connectivity<\/strong> between Google Cloud and external systems (SaaS apps and enterprise systems) through <strong>prebuilt connectors<\/strong> and reusable <strong>connection<\/strong> configurations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<p>At a high level, Integration Connectors provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A catalog of connector types (SaaS and data sources) with Google-managed runtime support.<\/li>\n<li><strong>Connection resources<\/strong> that encapsulate:<\/li>\n<li>Endpoint details (host, URL, instance, etc.)<\/li>\n<li>Authentication\/authorization configuration<\/li>\n<li>Networking path (public, private\/VPC, or via on-prem agent)<\/li>\n<li>Operational settings (where supported), such as timeouts or retry behavior (often enforced by the calling integration product; verify per connector\/task in official docs)<\/li>\n<li>Lifecycle management: create, test, update, rotate credentials, and delete connections.<\/li>\n<li>Central visibility and governance: IAM-controlled access, audit logs, and integration with Cloud Logging\/Monitoring (availability may vary by integration runtime; verify in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual model)<\/h3>\n\n\n\n<p>While exact names in the Console and APIs can evolve, Integration Connectors deployments usually revolve around:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Connector<\/strong>: The connector \u201ctype\u201d (e.g., a specific SaaS or database family) and sometimes a <strong>version<\/strong>.<\/li>\n<li><strong>Connection<\/strong>: A regional configuration resource in your project that points to a specific target and auth method.<\/li>\n<li><strong>Connectivity option<\/strong>:<\/li>\n<li>Public endpoint access over the internet (where supported and appropriate)<\/li>\n<li>Private access to resources in a VPC network (often via a Google-managed private connectivity mechanism; verify the current recommended setup in docs)<\/li>\n<li>On-prem\/private network access using a <strong>connectivity agent<\/strong> (a lightweight agent that enables outbound connectivity from your network to Google; verify current agent name and requirements in official docs)<\/li>\n<li><strong>Secrets\/credentials<\/strong>: Stored and referenced securely (often via Secret Manager or encrypted fields managed by the service; exact approach depends on connector and configuration).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed connectivity service (part of Google Cloud\u2019s broader integration capabilities).<\/li>\n<li>Primarily configured via Google Cloud Console and\/or APIs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/zonal and project scoping)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Project-scoped<\/strong>: Connections live inside a Google Cloud project.<\/li>\n<li><strong>Regional<\/strong>: Connections are typically created in a chosen region (for latency, data residency, and networking alignment).<br\/>\n  Verify the latest region support and whether specific connectors are available in your region in the official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n<p>Integration Connectors is commonly used alongside:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Application Integration<\/strong> (for orchestration and integration flows that call connectors)<\/li>\n<li><strong>Secret Manager<\/strong> (credential storage\/rotation patterns)<\/li>\n<li><strong>Cloud Logging<\/strong> and <strong>Cloud Monitoring<\/strong> (operational visibility)<\/li>\n<li><strong>VPC networking<\/strong> and private connectivity patterns (for non-public targets)<\/li>\n<li><strong>IAM<\/strong> (centralized access control)<\/li>\n<li><strong>Cloud Audit Logs<\/strong> (who changed what, when)<\/li>\n<\/ul>\n\n\n\n<p>Official docs entry point:<br\/>\nhttps:\/\/cloud.google.com\/integration-connectors\/docs<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Integration Connectors?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster delivery<\/strong>: Reduce time spent building and maintaining one-off connectors.<\/li>\n<li><strong>Standardization<\/strong>: One consistent model for connection configuration across teams.<\/li>\n<li><strong>Reduced integration risk<\/strong>: Use Google-managed connectors rather than ad hoc scripts.<\/li>\n<li><strong>Better change management<\/strong>: Centralized connection lifecycle helps when endpoints or credentials change.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prebuilt connectors<\/strong>: Common systems can be integrated without bespoke code.<\/li>\n<li><strong>Reusable connections<\/strong>: Configure once, reuse across multiple integrations.<\/li>\n<li><strong>Network options for private systems<\/strong>: Designed for enterprise environments where targets are not publicly reachable.<\/li>\n<li><strong>Separation of concerns<\/strong>: Application logic (integrations) is decoupled from connectivity (connections).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Central inventory of connections<\/strong>: Easier troubleshooting and ownership.<\/li>\n<li><strong>IAM-based controls<\/strong>: Restrict who can view\/change connection details.<\/li>\n<li><strong>Auditability<\/strong>: Track connection configuration changes via audit logs.<\/li>\n<li><strong>Reduced operational burden<\/strong>: Fewer custom services to patch, scale, and secure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least-privilege access<\/strong> through IAM.<\/li>\n<li><strong>Credential governance<\/strong>: Encourage secret management patterns and credential rotation.<\/li>\n<li><strong>Private connectivity support<\/strong>: Keep traffic off the public internet where needed.<\/li>\n<li><strong>Audit logs<\/strong> for compliance evidence.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional placement<\/strong>: Deploy connections close to workloads\/targets.<\/li>\n<li><strong>Managed runtime<\/strong>: Avoid scaling your own connector service fleet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Integration Connectors when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Repeatable, governed connectivity to SaaS or enterprise systems<\/li>\n<li>Integration patterns shared across multiple apps\/teams<\/li>\n<li>Private\/on-prem connectivity without building custom VPN + connector services<\/li>\n<li>A managed \u201cconnection layer\u201d used by Application Integration in Google Cloud<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should <em>not<\/em> choose it<\/h3>\n\n\n\n<p>Consider alternatives when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need a custom protocol or niche system not supported by available connectors.<\/li>\n<li>You require extremely specialized transformation logic inside the connector runtime itself (a full iPaaS or custom middleware may be better).<\/li>\n<li>Your use case is simply calling a REST API occasionally\u2014<strong>Workflows<\/strong> or direct HTTP calls from <strong>Cloud Run\/Functions<\/strong> might be simpler.<\/li>\n<li>You need full API lifecycle management (policies, developer portal, monetization): look at <strong>Apigee<\/strong> instead.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Integration Connectors used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Common in industries with many third-party systems and strict governance:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (CRM + ticketing + internal systems)<\/li>\n<li>Retail\/e-commerce (order, inventory, CRM)<\/li>\n<li>Healthcare\/life sciences (systems integration; verify compliance requirements)<\/li>\n<li>Manufacturing (ERP + supply chain platforms)<\/li>\n<li>SaaS and tech companies (customer support and billing systems)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building shared integration capabilities<\/li>\n<li>Application development teams integrating business systems<\/li>\n<li>Integration\/ESB teams migrating from legacy middleware<\/li>\n<li>SRE\/operations teams standardizing connectivity and credentials<\/li>\n<li>Security teams enforcing controlled access to integrations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Orchestrations (multi-step workflows)<\/li>\n<li>Event-driven integrations (often via separate eventing services; verify connector support and integration product capabilities)<\/li>\n<li>Batch synchronization jobs (e.g., nightly syncs)<\/li>\n<li>Data enrichment calls from apps (with careful latency expectations)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub-and-spoke integration platform (central integration project + shared connections)<\/li>\n<li>Domain-aligned integrations (each domain owns its connections)<\/li>\n<li>Hybrid connectivity (SaaS + on-prem systems)<\/li>\n<li>Multi-environment (dev\/test\/prod) with separate projects and controlled promotion<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enterprises connecting multiple SaaS tools (CRM, ITSM, marketing automation)<\/li>\n<li>Teams modernizing from on-prem ESB to managed cloud integrations<\/li>\n<li>Regulated environments needing auditability and least privilege<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/Test<\/strong>: Validate connectors, credential patterns, and network connectivity using small datasets and non-production SaaS sandboxes.<\/li>\n<li><strong>Production<\/strong>: Enforce IAM controls, private connectivity, robust monitoring, incident playbooks, and credential rotation.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Integration Connectors is frequently a good fit. Connector availability varies\u2014confirm in the official connector catalog for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Salesforce \u2192 internal order system synchronization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Sales ops needs customer\/account updates propagated into internal systems reliably.<\/li>\n<li><strong>Why it fits<\/strong>: Managed Salesforce connectivity with centralized credentials and reuse across multiple flows.<\/li>\n<li><strong>Scenario<\/strong>: When an Account updates, an integration reads the record and updates an internal database through another connector.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) ServiceNow ticket enrichment from internal CMDB\/database<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Support tickets lack service ownership and environment metadata.<\/li>\n<li><strong>Why it fits<\/strong>: Standardize connection to ServiceNow and a database; reduce custom scripts.<\/li>\n<li><strong>Scenario<\/strong>: On ticket creation, fetch owner info from PostgreSQL and update ServiceNow fields.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Jira issue automation with approval and notifications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Manual steps to transition issues and notify stakeholders.<\/li>\n<li><strong>Why it fits<\/strong>: Use connectors for Jira and messaging\/email systems (if available) with a single governed connection model.<\/li>\n<li><strong>Scenario<\/strong>: When a change request is approved, transition Jira issue and notify a group.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Database-driven integration to SaaS (PostgreSQL\/MySQL \u2192 CRM)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Customer data stored in a DB needs to sync to CRM.<\/li>\n<li><strong>Why it fits<\/strong>: Database connector plus SaaS connector; avoid custom ETL scripts for operational sync.<\/li>\n<li><strong>Scenario<\/strong>: Nightly job reads updated customers and upserts into CRM.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) HR onboarding automation (HRIS \u2192 IAM \/ ticketing)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: New hires require accounts, group memberships, and tickets.<\/li>\n<li><strong>Why it fits<\/strong>: Centralize credentials and network access; orchestrate multi-system steps.<\/li>\n<li><strong>Scenario<\/strong>: Pull new-hire record from HR system and create tasks\/tickets across tools.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Secure on-prem database access for cloud-based integrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: On-prem DB is not reachable from the internet; VPN is slow to change and hard to govern for each integration.<\/li>\n<li><strong>Why it fits<\/strong>: Connectivity agent\/private connectivity patterns avoid exposing DB publicly and reduce custom network work.<\/li>\n<li><strong>Scenario<\/strong>: Integration queries on-prem Oracle\/PostgreSQL and updates SaaS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Multi-tenant SaaS operations automation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Your operations team needs to automate tasks across multiple external systems per tenant.<\/li>\n<li><strong>Why it fits<\/strong>: Separate connections per tenant with IAM controls and audit logs.<\/li>\n<li><strong>Scenario<\/strong>: Per-customer Salesforce sandbox connection used for automated data fixes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Marketing automation data pushes from internal systems<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Marketing platforms need near-real-time updates about user lifecycle events.<\/li>\n<li><strong>Why it fits<\/strong>: Managed connector plus centralized error handling in orchestration layer.<\/li>\n<li><strong>Scenario<\/strong>: On purchase event, update marketing profile attributes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Finance reconciliation (ERP \u2194 billing \u2194 payment gateway)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Inconsistent records across finance systems.<\/li>\n<li><strong>Why it fits<\/strong>: Connectors reduce custom API code and standardize credential governance.<\/li>\n<li><strong>Scenario<\/strong>: Daily integration pulls transactions, compares, and writes discrepancies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Support analytics enrichment pipeline (ITSM \u2192 data warehouse staging)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Support data needs enrichment and loading into analytics.<\/li>\n<li><strong>Why it fits<\/strong>: Integration Connectors can simplify extraction and writing into staging DBs (verify connector availability for your targets).<\/li>\n<li><strong>Scenario<\/strong>: Extract ticket data, enrich with product metadata, store in SQL staging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Controlled credential rotation without breaking integrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Secrets rotate but integrations break due to scattered configs.<\/li>\n<li><strong>Why it fits<\/strong>: Centralize connection configuration; update credentials once.<\/li>\n<li><strong>Scenario<\/strong>: Rotate DB password in Secret Manager and update connection reference.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Standardized \u201cconnection factory\u201d for many application teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Each app team implements its own connector code and security model.<\/li>\n<li><strong>Why it fits<\/strong>: Platform team provides pre-approved connections; app teams consume them via integrations.<\/li>\n<li><strong>Scenario<\/strong>: A shared \u201cSalesforce-prod\u201d connection managed by platform team.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Important: Specific capabilities can vary by connector type\/version and by the product that invokes the connection (for example, Application Integration). Always confirm the latest behavior in the official docs and connector reference for your chosen connector.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Prebuilt connector catalog<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides managed connectors for common SaaS apps and data sources.<\/li>\n<li><strong>Why it matters<\/strong>: Avoids building and maintaining many bespoke integrations.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster proof-of-concepts and more consistent connectivity patterns.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Connector availability varies by region; not all third-party systems are supported.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Connection resources (reusable connectivity configuration)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you define a connection once\u2014endpoint + auth + networking\u2014in a region.<\/li>\n<li><strong>Why it matters<\/strong>: Separates connectivity from integration logic.<\/li>\n<li><strong>Practical benefit<\/strong>: Multiple integrations can share one approved connection.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: You must design environment separation (dev\/test\/prod) carefully to avoid accidental production access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Multiple authentication methods (connector-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Supports common auth patterns such as OAuth flows, basic auth, API keys, and service-account-like patterns depending on the target.<\/li>\n<li><strong>Why it matters<\/strong>: Real systems rarely share a single auth mechanism.<\/li>\n<li><strong>Practical benefit<\/strong>: Standardized onboarding for each connector with less custom code.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Some connectors require interactive OAuth consent; service accounts and headless auth may not be available for all SaaS targets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Private connectivity options (VPC\/private endpoints and on-prem access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Supports connecting to targets not exposed publicly\u2014either in a VPC or on-prem\u2014using private connectivity patterns and\/or an agent.<\/li>\n<li><strong>Why it matters<\/strong>: Many enterprise systems are private by design.<\/li>\n<li><strong>Practical benefit<\/strong>: Reduces need to expose databases to the public internet.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Setup can be non-trivial (subnets, firewall rules, DNS, routing). Follow the current official networking guide.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Connection testing\/validation (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Allows basic connection checks from the service.<\/li>\n<li><strong>Why it matters<\/strong>: Early feedback avoids debugging failures inside complex integrations.<\/li>\n<li><strong>Practical benefit<\/strong>: Confirm credentials and network path before building full workflows.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: \u201cTest connection\u201d may validate connectivity\/auth but not every API permission or object-level access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 IAM integration for access control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses Google Cloud IAM to control who can create, view, update, and use connections.<\/li>\n<li><strong>Why it matters<\/strong>: Connections often contain sensitive endpoints and credential references.<\/li>\n<li><strong>Practical benefit<\/strong>: Enforce separation of duties (platform team manages connections; app teams consume them).<\/li>\n<li><strong>Limitations\/caveats<\/strong>: IAM roles and permissions differ by action. Verify the current predefined roles for Integration Connectors in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Auditing via Cloud Audit Logs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Records administrative actions (and sometimes data access, depending on configuration and product) in audit logs.<\/li>\n<li><strong>Why it matters<\/strong>: Required for many compliance programs and incident investigations.<\/li>\n<li><strong>Practical benefit<\/strong>: Trace who changed a connection and when.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: Data access logging is not always enabled by default and can generate cost; validate log types in your environment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Operational visibility (Logging\/Monitoring integration)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Surfaces runtime and error signals to Cloud Logging\/Monitoring (often via the orchestration product).<\/li>\n<li><strong>Why it matters<\/strong>: Integration failures must be observable and actionable.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster troubleshooting, alerting on failures, and SLO tracking.<\/li>\n<li><strong>Limitations\/caveats<\/strong>: The level of metrics\/logs can vary by connector and by runtime (for example, Application Integration vs custom invocation).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">7.1 High-level service architecture<\/h3>\n\n\n\n<p>Integration Connectors sits between your integration logic and your target systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>: You configure connectors\/connections (region, auth, network).<\/li>\n<li><strong>Data plane\/runtime<\/strong>: When invoked (commonly by Application Integration), the connector runtime uses the configured connection to call the target system.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.2 Request\/data\/control flow (typical)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An integration flow (for example, in Application Integration) reaches a step that uses a connector.<\/li>\n<li>The integration runtime references a <strong>connection<\/strong> (regional resource) that includes endpoint\/auth\/networking settings.<\/li>\n<li>Integration Connectors establishes the appropriate network path:\n   &#8211; direct to public endpoint, or\n   &#8211; through private connectivity, or\n   &#8211; via an on-prem connectivity agent (outbound from your network).<\/li>\n<li>The connector runtime authenticates to the target and performs the requested operation (e.g., query records, create ticket, update object).<\/li>\n<li>Results and errors are returned to the integration runtime.<\/li>\n<li>Logs\/metrics\/audit events are emitted to Google Cloud observability services.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">7.3 Integrations with related services<\/h3>\n\n\n\n<p>Common surrounding services include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Application Integration<\/strong>: Builds orchestration flows that call connectors.<\/li>\n<li><strong>Secret Manager<\/strong>: Stores credentials for DB passwords, API keys, OAuth refresh tokens (patterns vary).<\/li>\n<li><strong>Cloud Logging \/ Monitoring<\/strong>: Operational insights and alerting.<\/li>\n<li><strong>VPC \/ Firewall rules \/ DNS<\/strong>: Required for private targets.<\/li>\n<li><strong>Cloud Audit Logs<\/strong>: Governance and compliance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.4 Dependency services<\/h3>\n\n\n\n<p>You should expect to enable one or more Google APIs, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integration Connectors API (<code>connectors.googleapis.com<\/code>)  <\/li>\n<li>Application Integration API if you plan to orchestrate flows (<code>integrations.googleapis.com<\/code>)  <\/li>\n<li>Secret Manager API if you store secrets there (<code>secretmanager.googleapis.com<\/code>)<\/li>\n<\/ul>\n\n\n\n<p>Exact APIs and names should be confirmed in official docs for your workflow.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7.5 Security\/authentication model (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Admin\/auth to configure<\/strong>: IAM controls who can create\/update connections.<\/li>\n<li><strong>Runtime auth to target<\/strong>: The connection stores or references credentials (e.g., OAuth tokens, username\/password, API keys).<\/li>\n<li><strong>Google service identities<\/strong>: Some operations may use Google-managed service accounts or service agents. Ensure you understand which identity is used to access private networks or read secrets (verify per connector and per integration runtime).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.6 Networking model (conceptual)<\/h3>\n\n\n\n<p>Integration Connectors supports multiple connectivity patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Public endpoint<\/strong>: Connector runtime reaches public SaaS endpoints over the internet.<\/li>\n<li><strong>Private network targets in Google Cloud<\/strong>: Connection is associated with a VPC\/private connectivity mechanism so that the runtime can access private IPs.<\/li>\n<li><strong>On-prem targets<\/strong>: A connectivity agent installed in your environment creates an outbound connection enabling private reachability without inbound firewall exposure (verify current agent behavior and requirements in docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.7 Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and review <strong>Cloud Audit Logs<\/strong> for admin changes.<\/li>\n<li>Standardize logging and error handling in the orchestration layer (often Application Integration).<\/li>\n<li>Define ownership for each connection (labels\/tags, naming conventions, on-call rotations).<\/li>\n<li>Decide where secrets live and how they rotate.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.8 Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  A[Application Integration flow] --&gt;|uses connection| B[Integration Connectors]\n  B --&gt; C[SaaS app or Database]\n  B --&gt; D[Cloud Logging \/ Monitoring]\n  B --&gt; E[Cloud Audit Logs]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">7.9 Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Project[\"Google Cloud Project (Prod)\"]\n    AI[Application Integration\\n(Orchestrations)]\n    IC[Integration Connectors\\n(Regional Connections)]\n    SM[Secret Manager]\n    LOG[Cloud Logging]\n    MON[Cloud Monitoring]\n    AUD[Cloud Audit Logs]\n  end\n\n  subgraph VPC[\"VPC Network (Prod)\"]\n    PRIV[(Private Targets\\nCloud SQL \/ Internal APIs)]\n  end\n\n  subgraph OnPrem[\"On\u2011prem \/ Private DC\"]\n    AG[Connectivity Agent\\n(outbound)]\n    SYS[(On\u2011prem Systems\\nDB\/ERP)]\n  end\n\n  subgraph SaaS[\"Public SaaS\"]\n    SF[(SaaS Provider\\n(CRM\/ITSM\/etc.))]\n  end\n\n  AI --&gt;|invokes connector tasks| IC\n  IC --&gt;|reads secrets (if configured)| SM\n  IC --&gt;|private connectivity| PRIV\n  IC --&gt;|via agent| AG --&gt; SYS\n  IC --&gt;|public HTTPS| SF\n\n  AI --&gt; LOG\n  IC --&gt; LOG\n  AI --&gt; MON\n  IC --&gt; MON\n  IC --&gt; AUD\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/project requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Google Cloud account with a <strong>billing-enabled<\/strong> project.<\/li>\n<li>Ability to enable APIs in the project.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You need permissions to:\n&#8211; Enable APIs\n&#8211; Create and manage Integration Connectors connections\n&#8211; (Optional, for the lab) Create Cloud SQL instances, Secret Manager secrets, and Application Integration integrations<\/p>\n\n\n\n<p>Google provides predefined IAM roles for Integration Connectors (names can evolve). Use the official IAM page to confirm the minimal roles for:\n&#8211; connection administration\n&#8211; viewing connections\n&#8211; using connections in integrations<\/p>\n\n\n\n<p>Verify in official docs:<br\/>\nhttps:\/\/cloud.google.com\/integration-connectors\/docs (look for \u201cAccess control\u201d \/ IAM)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integration Connectors is a billed service (pricing is usage-based).<\/li>\n<li>The hands-on lab also uses Cloud SQL, which has its own costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Google Cloud CLI (<code>gcloud<\/code>)<\/strong> installed locally, <em>or<\/em> use <strong>Cloud Shell<\/strong>.<\/li>\n<li>Cloud Shell already includes authenticated <code>gcloud<\/code>.<\/li>\n<li>A modern browser for Console workflows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integration Connectors is regional. Choose a region where:<\/li>\n<li>Integration Connectors is available<\/li>\n<li>Your chosen connector type is available<\/li>\n<li>Related services (Cloud SQL, Application Integration) are available<\/li>\n<\/ul>\n\n\n\n<p>Always verify current region support in official docs for each service.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Expect quotas such as:\n&#8211; number of connections per project\/region\n&#8211; API request quotas\n&#8211; possibly connector-specific limits<\/p>\n\n\n\n<p>Quotas change over time\u2014verify in the Google Cloud Console quota pages and official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (for the lab)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integration Connectors API<\/li>\n<li>(Optional but recommended for a \u201creal\u201d end-to-end test) Application Integration API<\/li>\n<li>(Optional) Secret Manager API<\/li>\n<li>Cloud SQL Admin API (if using Cloud SQL)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Do not treat this section as a quote. Always confirm current SKUs, unit pricing, and regional availability on official pages before committing to an architecture.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">9.1 Current pricing model (what to expect)<\/h3>\n\n\n\n<p>Integration Connectors pricing is typically <strong>usage-based<\/strong>. Common pricing dimensions for managed connector platforms include items such as:\n&#8211; Connector\/connection runtime usage (for example, time-based consumption)\n&#8211; Requests\/calls or operations (sometimes connector-specific)\n&#8211; Data processed (sometimes connector-specific)<\/p>\n\n\n\n<p>The exact dimensions and SKUs can vary by connector type and by Google Cloud\u2019s current billing model.<\/p>\n\n\n\n<p><strong>Official pricing page (verify current SKUs and units):<\/strong><br\/>\nhttps:\/\/cloud.google.com\/integration-connectors\/pricing<\/p>\n\n\n\n<p><strong>Pricing calculator:<\/strong><br\/>\nhttps:\/\/cloud.google.com\/products\/calculator<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.2 Free tier<\/h3>\n\n\n\n<p>If a free tier exists, it is usually limited and\/or time-bound. Verify on the official pricing page. Do not assume there is a free tier.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.3 Main cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number of active connections and how they are used (depends on billing dimension)<\/li>\n<li>Frequency of integration runs and connector calls<\/li>\n<li>Data volume moved through connector operations (if billed)<\/li>\n<li>Additional services:<\/li>\n<li><strong>Application Integration<\/strong> execution costs (if used)<\/li>\n<li><strong>Cloud SQL<\/strong> instance + storage + backups (if used)<\/li>\n<li><strong>Secret Manager<\/strong> secret versions and access operations<\/li>\n<li>Logging volume in <strong>Cloud Logging<\/strong><\/li>\n<li>Network egress (especially to external SaaS over the internet)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.4 Hidden\/indirect costs to plan for<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Logging ingestion\/retention<\/strong>: Noisy integrations can generate substantial logs.<\/li>\n<li><strong>Network egress<\/strong>: Calls to external SaaS can incur egress charges depending on routing and location.<\/li>\n<li><strong>Cloud SQL<\/strong>: Even \u201csmall\u201d instances can cost more than the connector itself in a lab.<\/li>\n<li><strong>Operational overhead<\/strong>: On-prem connectivity agent hosts (VMs\/containers), patching, and monitoring.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.5 Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Calls to public SaaS endpoints can incur internet egress.<\/li>\n<li>Cross-region traffic (connector in one region calling targets in another) increases latency and can add network costs.<\/li>\n<li>For private targets, ensure you understand any private connectivity costs (for example, Private Service Connect, peering, or other networking components\u2014verify your chosen pattern in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.6 How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Place connections in the same region as the integration runtime and private targets.<\/li>\n<li>Reduce unnecessary polling; prefer event-driven patterns where feasible (often implemented outside Integration Connectors).<\/li>\n<li>Tune integration logic to avoid excessive connector calls (batch reads\/writes where supported).<\/li>\n<li>Control log verbosity and sampling (especially in production).<\/li>\n<li>Separate dev\/test from prod and tear down lab resources quickly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.7 Example low-cost starter estimate (directional)<\/h3>\n\n\n\n<p>A low-cost starter setup usually includes:\n&#8211; 1\u20132 connections in a single region\n&#8211; A small number of test runs per day\n&#8211; Minimal data volume<\/p>\n\n\n\n<p>Because Integration Connectors pricing is connector- and SKU-dependent, <strong>use the pricing calculator<\/strong> and select the appropriate Integration Connectors SKUs for your region and connector types. For labs, <strong>Cloud SQL typically dominates costs<\/strong>, so consider using the smallest supported configuration and deleting it immediately after validation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.8 Example production cost considerations<\/h3>\n\n\n\n<p>For production:\n&#8211; Estimate connector usage based on:\n  &#8211; integrations per day\/hour\n  &#8211; connector calls per integration\n  &#8211; data volume per call\n&#8211; Add:\n  &#8211; Application Integration execution cost model\n  &#8211; Cloud SQL HA\/storage\/backups costs (if databases are involved)\n  &#8211; Central logging\/monitoring at enterprise retention\n  &#8211; DR\/BCP approach (multi-region architecture may increase cost)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a <strong>real<\/strong> private connectivity scenario: a managed database in Google Cloud and a reusable Integration Connectors connection. Then it validates connectivity. Optionally, you can invoke the connection from <strong>Application Integration<\/strong> to prove end-to-end behavior.<\/p>\n\n\n\n<p>Because connector catalogs and UI labels can change, use this tutorial as a guided path and cross-check the latest official docs for your chosen connector.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a <strong>private<\/strong> PostgreSQL database in <strong>Cloud SQL<\/strong>.<\/li>\n<li>Create a <strong>regional Integration Connectors connection<\/strong> to that database using private networking.<\/li>\n<li>Validate the connection.<\/li>\n<li>(Optional) Use <strong>Application Integration<\/strong> to execute a simple database operation through the connection.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will provision:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud SQL for PostgreSQL (private IP)<\/li>\n<li>VPC networking prerequisites (Private Service Access for Cloud SQL)<\/li>\n<li>A connection in Integration Connectors (PostgreSQL connector)<\/li>\n<li>Validation using built-in test (and optional Application Integration invocation)<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome:<\/strong> You end with a reusable, governed connection that your integration flows can reference without embedding DB credentials in code.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create or select a project and set variables<\/h3>\n\n\n\n<p>In Cloud Shell:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth list\ngcloud config list project\n<\/code><\/pre>\n\n\n\n<p>Set your project (replace <code>YOUR_PROJECT_ID<\/code>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\ngcloud config set project \"$PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n<p>Choose a region (replace as needed; ensure Integration Connectors, Cloud SQL, and Application Integration are supported there):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export REGION=\"us-central1\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>gcloud<\/code> targets the correct project and region.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Enable required APIs<\/h3>\n\n\n\n<p>Enable the APIs used in this lab:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable \\\n  connectors.googleapis.com \\\n  secretmanager.googleapis.com \\\n  sqladmin.googleapis.com\n<\/code><\/pre>\n\n\n\n<p>Optional (only if you do the optional Application Integration step later):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable integrations.googleapis.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> APIs are enabled successfully.<\/p>\n\n\n\n<p><strong>Verify:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --filter=\"name:connectors.googleapis.com OR name:sqladmin.googleapis.com\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a VPC and set up Private Service Access (for Cloud SQL private IP)<\/h3>\n\n\n\n<p>If you already have a VPC strategy, use your existing network. For a lab, create a dedicated VPC:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export NETWORK=\"ic-lab-vpc\"\ngcloud compute networks create \"$NETWORK\" --subnet-mode=custom\n<\/code><\/pre>\n\n\n\n<p>Create a subnet in the same region:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SUBNET=\"ic-lab-subnet\"\ngcloud compute networks subnets create \"$SUBNET\" \\\n  --network=\"$NETWORK\" \\\n  --region=\"$REGION\" \\\n  --range=\"10.10.0.0\/24\"\n<\/code><\/pre>\n\n\n\n<p>Reserve an IP range for Private Service Access (PSA) and connect it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PSA_RANGE=\"ic-lab-psa-range\"\ngcloud compute addresses create \"$PSA_RANGE\" \\\n  --global \\\n  --purpose=VPC_PEERING \\\n  --prefix-length=16 \\\n  --network=\"$NETWORK\"\n\ngcloud services vpc-peerings connect \\\n  --service=servicenetworking.googleapis.com \\\n  --network=\"$NETWORK\" \\\n  --ranges=\"$PSA_RANGE\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Your VPC is ready for Cloud SQL private IP.<\/p>\n\n\n\n<p><strong>Common error:<\/strong> If <code>servicenetworking.googleapis.com<\/code> isn\u2019t enabled, run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable servicenetworking.googleapis.com\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a private Cloud SQL for PostgreSQL instance<\/h3>\n\n\n\n<p>Create a Cloud SQL instance with private IP (choose the lowest-cost tier available in your region for a lab; tier names vary):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SQL_INSTANCE=\"ic-lab-pg\"\nexport DB_VERSION=\"POSTGRES_15\"   # Verify supported versions in your environment\nexport SQL_TIER=\"db-custom-1-3840\" # Pick a smaller tier if available to reduce cost\n\ngcloud sql instances create \"$SQL_INSTANCE\" \\\n  --database-version=\"$DB_VERSION\" \\\n  --region=\"$REGION\" \\\n  --network=\"projects\/$PROJECT_ID\/global\/networks\/$NETWORK\" \\\n  --no-assign-ip \\\n  --tier=\"$SQL_TIER\"\n<\/code><\/pre>\n\n\n\n<p>Notes:\n&#8211; <code>--no-assign-ip<\/code> requests <strong>private IP only<\/strong>.\n&#8211; If your org policy requires CMEK, private DNS, or other controls, adjust accordingly.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Cloud SQL instance is created with private IP.<\/p>\n\n\n\n<p><strong>Verify:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud sql instances describe \"$SQL_INSTANCE\" --format=\"value(ipAddresses)\"\n<\/code><\/pre>\n\n\n\n<p>You should see a private IP.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create a database and user, store password in Secret Manager<\/h3>\n\n\n\n<p>Create a database:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export DB_NAME=\"appdb\"\ngcloud sql databases create \"$DB_NAME\" --instance=\"$SQL_INSTANCE\"\n<\/code><\/pre>\n\n\n\n<p>Create a user and password (generate one):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export DB_USER=\"appuser\"\nexport DB_PASS=\"$(openssl rand -base64 24 | tr -d '\\n')\"\ngcloud sql users create \"$DB_USER\" --instance=\"$SQL_INSTANCE\" --password=\"$DB_PASS\"\n<\/code><\/pre>\n\n\n\n<p>Store the password in Secret Manager:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SECRET_ID=\"ic-lab-pg-password\"\nprintf \"%s\" \"$DB_PASS\" | gcloud secrets create \"$SECRET_ID\" --data-file=-\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have DB credentials and a secret stored in Secret Manager.<\/p>\n\n\n\n<p><strong>Verify:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud secrets describe \"$SECRET_ID\" --format=\"value(name)\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Allow the connector runtime to reach the private database (networking setup)<\/h3>\n\n\n\n<p>This is the step that varies the most across environments because Integration Connectors can use different private connectivity constructs depending on current product design and region.<\/p>\n\n\n\n<p>In general, you will do <strong>one<\/strong> of the following (use the approach recommended by the current official docs):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Associate Integration Connectors with your VPC\/subnet (private connectivity)<\/li>\n<li>Create an Integration Connectors <strong>endpoint attachment<\/strong> (if required by the product in your region) and bind the connection to it<\/li>\n<li>Use a connectivity agent if the target is on-prem (not needed for Cloud SQL in this lab)<\/li>\n<\/ul>\n\n\n\n<p><strong>Action (Console-guided, recommended for accuracy):<\/strong>\n1. Open Integration Connectors in the Console:<br\/>\n   https:\/\/console.cloud.google.com\/integration-connectors\n2. Select your project and region.\n3. Find the networking\/private connectivity setup guidance in the UI:\n   &#8211; Look for <strong>Endpoint attachment<\/strong>, <strong>Private connectivity<\/strong>, or <strong>Network configuration<\/strong>.\n4. Choose your lab VPC (<code>ic-lab-vpc<\/code>) and subnet (<code>ic-lab-subnet<\/code>) when prompted.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Integration Connectors has a private network path into your VPC so it can reach the Cloud SQL private IP.<\/p>\n\n\n\n<blockquote>\n<p>If you do not see any private networking option in the Console for your connector\/region, stop and check the latest networking documentation for Integration Connectors. Do not fall back to public IP for production; for a lab it can work, but it changes the security model significantly.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Create an Integration Connectors connection to PostgreSQL<\/h3>\n\n\n\n<p><strong>Console steps (most reliable because connector fields differ):<\/strong>\n1. Go to Integration Connectors \u2192 <strong>Connections<\/strong>.\n2. Click <strong>Create connection<\/strong>.\n3. Select:\n   &#8211; <strong>Region<\/strong>: the same region (<code>us-central1<\/code> or your chosen <code>REGION<\/code>)\n   &#8211; <strong>Connector<\/strong>: PostgreSQL (or \u201cPostgreSQL Database\u201d)\n   &#8211; <strong>Connector version<\/strong>: choose the latest available\n4. Provide connection details (field names vary):\n   &#8211; Host\/IP: the <strong>private IP<\/strong> of the Cloud SQL instance\n   &#8211; Port: <code>5432<\/code>\n   &#8211; Database: <code>appdb<\/code>\n   &#8211; Username: <code>appuser<\/code>\n   &#8211; Password: reference your Secret Manager secret if supported, or paste the password for the lab (Secret Manager is preferred)\n5. Under <strong>Network \/ Connectivity<\/strong>, select the private network option configured in Step 6 (VPC\/subnet or endpoint attachment).\n6. Save the connection.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> A new connection resource is created and shows a \u201cReady\/Active\u201d (or similar) state.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Use the connection\u2019s <strong>Test<\/strong> button (if available) to validate connectivity and credentials.\n&#8211; Confirm the test succeeds.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8 (Optional but recommended): Use Application Integration to run a simple query through the connection<\/h3>\n\n\n\n<p>This step proves that the connection is not only \u201creachable\u201d but also usable by an orchestration runtime.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open Application Integration:<br\/>\n   https:\/\/console.cloud.google.com\/application-integration<\/li>\n<li>Create a new integration in the same region.<\/li>\n<li>Add a step\/task that uses <strong>Integration Connectors<\/strong> (often called something like <strong>Connector task<\/strong>).<\/li>\n<li>Select your connection.<\/li>\n<li>Choose an operation appropriate for the PostgreSQL connector (examples vary by connector implementation):\n   &#8211; Execute a SQL statement\n   &#8211; Run a query\n   &#8211; Create\/read rows via an entity model<\/li>\n<\/ol>\n\n\n\n<p>If the UI supports executing SQL, use something simple that doesn\u2019t require schema first, such as:<\/p>\n\n\n\n<pre><code class=\"language-sql\">SELECT NOW();\n<\/code><\/pre>\n\n\n\n<p>Optionally, create a table and insert a record (only if your connector task supports multi-statement or sequential steps):<\/p>\n\n\n\n<pre><code class=\"language-sql\">CREATE TABLE IF NOT EXISTS hello_ic (\n  id SERIAL PRIMARY KEY,\n  msg TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n);\n\nINSERT INTO hello_ic (msg) VALUES ('hello from Integration Connectors');\nSELECT * FROM hello_ic ORDER BY id DESC LIMIT 5;\n<\/code><\/pre>\n\n\n\n<p>Run the integration.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> The integration run succeeds and returns query results (or completes without error). Logs show connector invocation.<\/p>\n\n\n\n<blockquote>\n<p>If your connector task does not support direct SQL execution, follow the connector\u2019s supported operations shown in the UI. Database connectors often expose a limited set of actions; do not assume full SQL support without verifying.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use at least two validation methods:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Integration Connectors connection test<\/strong>\n   &#8211; Confirm connection status is healthy and the test passes.<\/p>\n<\/li>\n<li>\n<p><strong>Database-side validation<\/strong>\n   &#8211; Connect to Cloud SQL via Cloud SQL Studio in Console (or <code>psql<\/code> via a secure method) and verify that:<\/p>\n<ul>\n<li>The database exists<\/li>\n<li>The user exists<\/li>\n<li>(If you ran inserts) the <code>hello_ic<\/code> table and rows exist<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>Cloud SQL Studio is available in the Cloud SQL Console for supported configurations; otherwise use your standard private connectivity method.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Below are common issues and what to check.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Connectivity test fails (timeout \/ cannot reach host)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm the Cloud SQL instance has a <strong>private IP<\/strong> and is in the expected VPC.<\/li>\n<li>Confirm Integration Connectors private networking configuration is correct (VPC\/subnet or endpoint attachment).<\/li>\n<li>Check firewall rules:<\/li>\n<li>Ensure traffic within your VPC to the Cloud SQL private IP on TCP 5432 is allowed.<\/li>\n<li>Confirm region alignment:<\/li>\n<li>Put the connection in the same region as the private connectivity configuration and close to the target.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Authentication fails (invalid password \/ login failed)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify user\/password.<\/li>\n<li>If using Secret Manager reference, ensure:<\/li>\n<li>The runtime identity has permission to access the secret (e.g., <code>secretmanager.versions.access<\/code>).<\/li>\n<li>You referenced the correct secret\/version.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Permission denied to create\/manage connections<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm IAM roles for Integration Connectors.<\/li>\n<li>Check org policies that restrict connector usage, external connectivity, or secret access.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Application Integration invocation fails, but connection test passes<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The connection may be valid, but the connector operation may require additional permissions or a different operation configuration.<\/li>\n<li>Check integration run logs in Cloud Logging.<\/li>\n<li>Verify the connector task\u2019s supported operations and required fields.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs, delete lab resources promptly.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete Application Integration artifacts (if created).<\/li>\n<li>Delete the Integration Connectors connection.<\/li>\n<li>Delete the Secret Manager secret:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud secrets delete \"$SECRET_ID\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li>Delete Cloud SQL instance (major cost driver):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud sql instances delete \"$SQL_INSTANCE\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"5\">\n<li>Delete VPC peering connection (optional cleanup) and network resources:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud services vpc-peerings delete \\\n  --service=servicenetworking.googleapis.com \\\n  --network=\"$NETWORK\"\n\ngcloud compute addresses delete \"$PSA_RANGE\" --global\ngcloud compute networks subnets delete \"$SUBNET\" --region=\"$REGION\"\ngcloud compute networks delete \"$NETWORK\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\">\n<li>(Optional) Disable APIs if this project is only for labs.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Separate connectivity from logic<\/strong>: Treat connections as shared platform resources; keep integrations environment-specific.<\/li>\n<li><strong>Use private connectivity for private data<\/strong>: Prefer private networking patterns for databases and internal services.<\/li>\n<li><strong>Regional alignment<\/strong>: Place connections near targets and integration runtimes to reduce latency and cross-region costs.<\/li>\n<li><strong>Design for failure<\/strong>: SaaS APIs fail (rate limits, timeouts). Ensure your integration logic handles retries and idempotency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege<\/strong>:<\/li>\n<li>Separate roles for \u201cconnection admins\u201d vs \u201cintegration developers\u201d.<\/li>\n<li>Restrict who can view connection details and who can update credentials.<\/li>\n<li><strong>Separation of duties<\/strong>:<\/li>\n<li>Platform\/security team approves connections.<\/li>\n<li>App teams use approved connections.<\/li>\n<li><strong>Use Secret Manager<\/strong> where supported:<\/li>\n<li>Avoid embedding passwords\/API keys in integration definitions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimize polling. If you must poll, increase intervals and use incremental queries.<\/li>\n<li>Reduce unnecessary connector calls by caching and batching.<\/li>\n<li>Control logs: keep production logs actionable; avoid logging large payloads.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep database targets close to the connector region.<\/li>\n<li>Avoid chatty designs (many small calls).<\/li>\n<li>Use pagination and filters when reading from SaaS systems.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement:<\/li>\n<li>retries with backoff (usually in the orchestration layer)<\/li>\n<li>dead-letter handling (capture failures for replay)<\/li>\n<li>idempotent writes to avoid duplicates<\/li>\n<li>Run chaos-style failure tests (simulate SaaS outages, credential rotation).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming:<\/li>\n<li><code>env-system-purpose-region<\/code> (e.g., <code>prod-salesforce-crm-uscentral1<\/code>)<\/li>\n<li>Add labels\/tags for cost allocation and ownership (team, app, environment).<\/li>\n<li>Document:<\/li>\n<li>connection owner<\/li>\n<li>credential rotation schedule<\/li>\n<li>contact for SaaS system<\/li>\n<li>Build runbooks for the top 5 failure modes (auth failures, rate limits, network, schema changes, expired tokens).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use separate projects for dev\/test\/prod.<\/li>\n<li>Use org policy constraints where applicable (external IP access, allowed services).<\/li>\n<li>Review audit logs regularly for sensitive configuration changes.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM controls<\/strong> who can create\/update\/delete connections and who can view them.<\/li>\n<li>In many organizations, the biggest risk is overly broad roles that let developers view credentials or repoint production connections.<\/li>\n<\/ul>\n\n\n\n<p>Recommendations:\n&#8211; Grant connection admin rights only to a small platform group.\n&#8211; Give developers viewer\/use permissions only.\n&#8211; Use separate service accounts for integration runtimes where possible.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud encrypts data at rest and in transit by default for managed services.<\/li>\n<li>For the connection to the target system:<\/li>\n<li>Prefer TLS\/SSL for database connectors (PostgreSQL over SSL) where supported.<\/li>\n<li>Use HTTPS endpoints for SaaS.<\/li>\n<li>If customer-managed encryption keys (CMEK) are required, verify whether Integration Connectors supports CMEK for your resources (do not assume).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid exposing databases via public IP to make integration easier.<\/li>\n<li>Prefer:<\/li>\n<li>private IP targets<\/li>\n<li>private connectivity mechanisms<\/li>\n<li>outbound-only on-prem connectivity via agent (where appropriate)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer Secret Manager references when supported.<\/li>\n<li>Rotate credentials regularly and test rotation in non-prod first.<\/li>\n<li>Avoid copying secrets into integration definitions, code repos, or tickets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and retain:<\/li>\n<li>Admin activity logs for Integration Connectors<\/li>\n<li>Integration runtime logs (Application Integration runs)<\/li>\n<li>Be careful about logging payloads that contain PII\/PHI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data residency: choose connector regions appropriately.<\/li>\n<li>Least privilege + audit logs are common compliance requirements.<\/li>\n<li>If handling regulated data (PCI, HIPAA, etc.), validate:<\/li>\n<li>connector path<\/li>\n<li>storage\/logging behavior<\/li>\n<li>third-party processor requirements<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sharing one production connection across dev\/test integrations.<\/li>\n<li>Storing DB passwords in plain text configs.<\/li>\n<li>Using public IP connectivity for sensitive databases.<\/li>\n<li>Over-permissioning users to \u201cfix things quickly\u201d.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use separate projects and separate connections per environment.<\/li>\n<li>Centralize secrets, rotate them, and restrict access.<\/li>\n<li>Prefer private connectivity.<\/li>\n<li>Document ownership and incident response paths.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These are common real-world constraints; confirm exact limits in official docs and quotas for your project\/region.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Connector availability varies<\/strong> by region and by connector version.<\/li>\n<li><strong>Not every system is supported<\/strong>: If your target isn\u2019t in the connector catalog, you\u2019ll need alternatives.<\/li>\n<li><strong>Operation coverage varies<\/strong>: A connector may support only certain objects\/actions; don\u2019t assume full API coverage.<\/li>\n<li><strong>Private connectivity setup is the hardest part<\/strong>:<\/li>\n<li>DNS, firewall, routing, and subnet planning can block connectivity.<\/li>\n<li><strong>Credential rotation can break flows<\/strong> if integrations cache tokens or if OAuth consent expires\u2014test rotation procedures.<\/li>\n<li><strong>Rate limits<\/strong> (SaaS-side) are common and can cause intermittent failures.<\/li>\n<li><strong>Logging can get expensive<\/strong> if you log full payloads or run high-frequency syncs.<\/li>\n<li><strong>Environment drift<\/strong>: A connection might point to a sandbox in dev but production in prod\u2014enforce naming and projects to prevent mistakes.<\/li>\n<li><strong>Schema\/object changes<\/strong> in SaaS can break integrations unexpectedly.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Integration Connectors is not the only way to integrate systems. Here are practical comparisons.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Options to consider<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Application Integration (Google Cloud)<\/strong>: Orchestration\/runtime for integration flows; often uses Integration Connectors for connectivity.<\/li>\n<li><strong>Workflows (Google Cloud)<\/strong>: Lightweight orchestration with HTTP calls and Google API integrations; may be simpler when you don\u2019t need managed enterprise connectors.<\/li>\n<li><strong>Apigee (Google Cloud)<\/strong>: API management and gateway; best for publishing and securing APIs, not for \u201cpull\/push data sync\u201d workflows.<\/li>\n<li><strong>Custom code on Cloud Run\/Functions<\/strong>: Full control; higher maintenance.<\/li>\n<li><strong>Third-party iPaaS<\/strong>: MuleSoft, Boomi, etc.; strong catalogs and governance, but different cost and operational models.<\/li>\n<li><strong>Other clouds\u2019 connector services<\/strong>: AWS AppFlow, Azure Logic Apps connectors, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Integration Connectors (Google Cloud)<\/strong><\/td>\n<td>Managed connectivity to SaaS\/enterprise systems used by integrations<\/td>\n<td>Centralized connections, IAM governance, private\/on-prem connectivity patterns<\/td>\n<td>Connector coverage varies; networking setup can be complex; pricing depends on usage\/SKUs<\/td>\n<td>You need standardized, reusable managed connections in Google Cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Application Integration (Google Cloud)<\/strong><\/td>\n<td>Orchestrating multi-step integration flows<\/td>\n<td>Visual design, error handling, integration lifecycle<\/td>\n<td>Not a pure connectivity product; you still need connections<\/td>\n<td>You need orchestration and want to use Integration Connectors for endpoints<\/td>\n<\/tr>\n<tr>\n<td><strong>Workflows (Google Cloud)<\/strong><\/td>\n<td>Orchestrating HTTP-based APIs and Google APIs<\/td>\n<td>Simple, code-defined workflows, low ops<\/td>\n<td>Not a replacement for enterprise connectors; auth\/networking may require more manual setup<\/td>\n<td>Your targets are primarily HTTP APIs and you can manage auth yourself<\/td>\n<\/tr>\n<tr>\n<td><strong>Apigee (Google Cloud)<\/strong><\/td>\n<td>Publishing and managing APIs<\/td>\n<td>Policies, security, quotas, developer portal<\/td>\n<td>Not designed for internal ETL-style sync flows<\/td>\n<td>You need an API gateway and API productization<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloud Run + SDKs (custom)<\/strong><\/td>\n<td>Custom integrations, unsupported targets<\/td>\n<td>Maximum flexibility, any protocol\/library<\/td>\n<td>You own auth, retries, scaling, patching, secrets, compliance evidence<\/td>\n<td>You need custom behavior or unsupported connectors and accept operational overhead<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS AppFlow (AWS)<\/strong><\/td>\n<td>SaaS-to-AWS service data flows<\/td>\n<td>Tight AWS integration, managed flows<\/td>\n<td>Cloud\/provider lock-in; not Google Cloud<\/td>\n<td>You\u2019re primarily on AWS and need AppFlow-supported sources\/targets<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Logic Apps (Azure)<\/strong><\/td>\n<td>Workflow automation with many connectors<\/td>\n<td>Large connector ecosystem, enterprise workflow<\/td>\n<td>Different governance model; not Google Cloud<\/td>\n<td>You\u2019re primarily on Azure and want Logic Apps\u2019 ecosystem<\/td>\n<\/tr>\n<tr>\n<td><strong>MuleSoft\/Boomi (iPaaS)<\/strong><\/td>\n<td>Enterprise integration at scale across clouds<\/td>\n<td>Mature iPaaS capabilities, large connector catalogs<\/td>\n<td>Licensing cost, platform complexity<\/td>\n<td>You need a full iPaaS with advanced mapping\/governance and budget for it<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Hybrid ITSM + on-prem + SaaS integrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A large enterprise needs to automate incident enrichment. ServiceNow tickets must be enriched with service metadata stored in an on-prem CMDB database, and updates must be sent to a SaaS status page system. Requirements include private connectivity, audit logs, and separation of duties.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Application Integration orchestrates the workflow:\n    1) Trigger on new\/updated ticket<br\/>\n    2) Use Integration Connectors connection to ServiceNow to fetch ticket details<br\/>\n    3) Use Integration Connectors (via on-prem connectivity agent) to query CMDB<br\/>\n    4) Update ServiceNow and notify status page system  <\/li>\n<li>Secret Manager stores credentials; IAM restricts access.<\/li>\n<li>Central logging\/monitoring with alerts on failure rates.<\/li>\n<li><strong>Why Integration Connectors<\/strong>:<\/li>\n<li>Provides managed connections and private\/on-prem access patterns.<\/li>\n<li>Enables consistent governance across multiple integration teams.<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Reduced mean time to enrich tickets<\/li>\n<li>Standardized security posture and auditability<\/li>\n<li>Lower maintenance versus custom connector services<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Lightweight CRM and billing synchronization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A startup needs to sync customer lifecycle events between a CRM and a billing platform, with minimal platform engineering overhead.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>A small set of Integration Connectors connections to the CRM and billing system.<\/li>\n<li>Application Integration handles orchestration and retries.<\/li>\n<li>Basic monitoring and Slack\/email notifications for failures (via supported connectors or HTTP calls depending on their stack).<\/li>\n<li><strong>Why Integration Connectors<\/strong>:<\/li>\n<li>Avoids building and operating custom integrations.<\/li>\n<li>Central place to manage credentials and endpoint configuration as the team scales.<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Faster iteration on integration flows<\/li>\n<li>Reduced operational overhead<\/li>\n<li>Cleaner separation between dev and prod via projects and connections<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Integration Connectors the same as Application Integration?<\/strong><br\/>\n   No. Integration Connectors provides managed connectivity and reusable connection configurations. Application Integration is an orchestration\/runtime product that can <em>use<\/em> those connections to implement end-to-end workflows.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to write code to use Integration Connectors?<\/strong><br\/>\n   Often no\u2014if you use Application Integration. If you want to invoke connectors from custom code, you\u2019ll typically use APIs or supported integration runtimes. Verify the recommended invocation methods in official docs for your use case.<\/p>\n<\/li>\n<li>\n<p><strong>Are connections global resources?<\/strong><br\/>\n   Connections are typically <strong>regional<\/strong> and <strong>project-scoped<\/strong>. Choose a region close to your integration runtime and targets.<\/p>\n<\/li>\n<li>\n<p><strong>Can I connect to on-prem systems securely?<\/strong><br\/>\n   Yes, using private connectivity options and\/or a connectivity agent for on-prem access. Confirm the current recommended architecture and agent requirements in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Do I have to store credentials in Secret Manager?<\/strong><br\/>\n   Not always, but it\u2019s a recommended pattern where supported. Some connectors manage OAuth tokens or store credentials in managed connection configs. Use Secret Manager when you can for rotation and access control.<\/p>\n<\/li>\n<li>\n<p><strong>How do I rotate credentials without breaking integrations?<\/strong><br\/>\n   Use a controlled rotation procedure:\n   &#8211; Rotate in non-prod first\n   &#8211; Update Secret Manager secret version (or connection credentials)\n   &#8211; Validate connection test\n   &#8211; Run a canary integration\n   Then promote to production.<\/p>\n<\/li>\n<li>\n<p><strong>Can multiple integrations share a single connection?<\/strong><br\/>\n   Yes, and that\u2019s a common design. Use IAM and environment separation to avoid accidental production usage from dev.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the biggest operational risk?<\/strong><br\/>\n   Networking and credentials. Private connectivity misconfiguration and expired\/rotated credentials are top causes of outages.<\/p>\n<\/li>\n<li>\n<p><strong>How do I troubleshoot failures?<\/strong><br\/>\n   Check:\n   &#8211; Integration runtime logs (for example, Application Integration run logs)\n   &#8211; Connection health\/test\n   &#8211; Cloud Audit Logs for recent changes\n   &#8211; Target system logs (SaaS audit logs, DB logs)\n   &#8211; Rate limiting and quotas<\/p>\n<\/li>\n<li>\n<p><strong>Does Integration Connectors support event-driven triggers?<\/strong><br\/>\n   Integration Connectors is primarily about connectivity. Event triggers are usually handled by orchestration\/eventing products (Application Integration triggers, Pub\/Sub, Eventarc, etc.). Verify the current eventing features in the integration product you use.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use Integration Connectors to connect to Cloud SQL?<\/strong><br\/>\n   Commonly yes via database connectors and private networking. The exact recommended setup (private connectivity mechanisms, connector selection) should be verified in current docs.<\/p>\n<\/li>\n<li>\n<p><strong>Is public internet connectivity safe for production?<\/strong><br\/>\n   It can be safe when using TLS and strong auth, but many enterprises prefer private connectivity for databases and sensitive endpoints. Follow your security requirements.<\/p>\n<\/li>\n<li>\n<p><strong>How do I control who can use a connection?<\/strong><br\/>\n   Use IAM on the connection resource (or at the project level) and keep production connections in production projects with restricted access.<\/p>\n<\/li>\n<li>\n<p><strong>How do I estimate costs?<\/strong><br\/>\n   Use the official pricing page and the Google Cloud Pricing Calculator. Include the costs of integration executions, logging, database, and network egress.<\/p>\n<\/li>\n<li>\n<p><strong>What happens if a SaaS API changes?<\/strong><br\/>\n   Integrations can break due to schema\/object changes or deprecated endpoints. Maintain versioned integration tests and monitor vendor release notes.<\/p>\n<\/li>\n<li>\n<p><strong>Can I deploy the same connection configuration across environments?<\/strong><br\/>\n   Prefer separate connections per environment (dev\/test\/prod) and separate projects. Use infrastructure-as-code where supported (verify current IaC support for Integration Connectors resources).<\/p>\n<\/li>\n<li>\n<p><strong>Does Integration Connectors provide SLAs?<\/strong><br\/>\n   Google Cloud SLAs vary by product and SKU. Check the official SLA documentation for Integration Connectors (verify in official docs).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Integration Connectors<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Integration Connectors Docs \u2014 https:\/\/cloud.google.com\/integration-connectors\/docs<\/td>\n<td>Primary source for concepts, setup steps, networking, IAM, and connector references<\/td>\n<\/tr>\n<tr>\n<td>Official product page<\/td>\n<td>Integration Connectors Overview \u2014 https:\/\/cloud.google.com\/integration-connectors<\/td>\n<td>High-level capabilities and positioning in Google Cloud integration portfolio<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Integration Connectors Pricing \u2014 https:\/\/cloud.google.com\/integration-connectors\/pricing<\/td>\n<td>Current SKUs and billing dimensions (verify per region\/connector)<\/td>\n<\/tr>\n<tr>\n<td>Pricing tool<\/td>\n<td>Google Cloud Pricing Calculator \u2014 https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Build estimates including related services (logging, networking, Cloud SQL, etc.)<\/td>\n<\/tr>\n<tr>\n<td>Related service docs<\/td>\n<td>Application Integration Docs \u2014 https:\/\/cloud.google.com\/application-integration\/docs<\/td>\n<td>Shows how connections are typically used in real integration flows<\/td>\n<\/tr>\n<tr>\n<td>Observability<\/td>\n<td>Cloud Logging \u2014 https:\/\/cloud.google.com\/logging\/docs<\/td>\n<td>Troubleshooting and operational monitoring patterns<\/td>\n<\/tr>\n<tr>\n<td>Security<\/td>\n<td>Cloud IAM \u2014 https:\/\/cloud.google.com\/iam\/docs<\/td>\n<td>Design least-privilege roles and separation of duties<\/td>\n<\/tr>\n<tr>\n<td>Secrets<\/td>\n<td>Secret Manager \u2014 https:\/\/cloud.google.com\/secret-manager\/docs<\/td>\n<td>Recommended patterns for secret storage and rotation<\/td>\n<\/tr>\n<tr>\n<td>Labs<\/td>\n<td>Google Cloud Skills Boost \u2014 https:\/\/www.cloudskillsboost.google<\/td>\n<td>Hands-on labs; search for Integration Connectors \/ Application Integration content<\/td>\n<\/tr>\n<tr>\n<td>Architecture<\/td>\n<td>Google Cloud Architecture Center \u2014 https:\/\/cloud.google.com\/architecture<\/td>\n<td>Reference architectures for integration, hybrid connectivity, and governance patterns<\/td>\n<\/tr>\n<tr>\n<td>Updates<\/td>\n<td>Google Cloud release notes (product pages) \u2014 https:\/\/cloud.google.com\/release-notes<\/td>\n<td>Track connector and platform changes over time (search within release notes)<\/td>\n<\/tr>\n<tr>\n<td>Samples<\/td>\n<td>GoogleCloudPlatform GitHub org \u2014 https:\/\/github.com\/GoogleCloudPlatform<\/td>\n<td>Search for official samples related to integration\/connectors (verify repo relevance)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, platform teams, cloud engineers<\/td>\n<td>Cloud DevOps practices, CI\/CD, SRE-aligned operations; may include Google Cloud topics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>DevOps fundamentals, tooling, and hands-on practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations practitioners<\/td>\n<td>Cloud operations, automation, monitoring, reliability practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations teams, architects<\/td>\n<td>SRE principles, observability, incident management, reliability engineering<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops and platform teams exploring AIOps<\/td>\n<td>AIOps concepts, monitoring analytics, automation for operations<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current offerings)<\/td>\n<td>Engineers seeking practical training<\/td>\n<td>https:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and coaching (verify current offerings)<\/td>\n<td>Individuals and teams<\/td>\n<td>https:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps guidance and services (verify current offerings)<\/td>\n<td>Small teams needing targeted help<\/td>\n<td>https:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support\/training resources (verify current offerings)<\/td>\n<td>Operations teams and learners<\/td>\n<td>https:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify current portfolio)<\/td>\n<td>Platform engineering, automation, operations<\/td>\n<td>Integration platform setup, IAM and networking reviews, CI\/CD for integrations<\/td>\n<td>https:\/\/www.cotocus.com<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>Delivery enablement, DevOps processes, cloud adoption<\/td>\n<td>Standardizing deployment pipelines, reliability practices for integration workloads<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify current services)<\/td>\n<td>DevOps transformation and support<\/td>\n<td>Operational readiness, monitoring\/alerting design, cost optimization reviews<\/td>\n<td>https:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Integration Connectors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud fundamentals:<\/li>\n<li>projects, IAM, service accounts<\/li>\n<li>regions\/zones<\/li>\n<li>billing and quotas<\/li>\n<li>Networking:<\/li>\n<li>VPC, subnets, firewall rules<\/li>\n<li>private access patterns (Private Service Access, Private Service Connect concepts)<\/li>\n<li>Security basics:<\/li>\n<li>Secret Manager<\/li>\n<li>audit logs<\/li>\n<li>least-privilege IAM design<\/li>\n<li>API basics:<\/li>\n<li>REST concepts, auth types (OAuth2, API keys, basic auth)<\/li>\n<li>Integration fundamentals:<\/li>\n<li>idempotency, retries\/backoff, dead-letter patterns<\/li>\n<li>data mapping and schema evolution<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Integration Connectors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Application Integration<\/strong> for building robust orchestrations<\/li>\n<li><strong>Workflows<\/strong> for lightweight automation<\/li>\n<li><strong>Apigee<\/strong> for API productization and governance<\/li>\n<li>Observability engineering:<\/li>\n<li>logs-based metrics<\/li>\n<li>SLOs for integrations<\/li>\n<li>alerting and runbooks<\/li>\n<li>Security engineering for integration platforms:<\/li>\n<li>secrets rotation automation<\/li>\n<li>org policies and guardrails<\/li>\n<li>compliance evidence collection<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ platform engineer<\/li>\n<li>Integration engineer \/ enterprise integration architect<\/li>\n<li>DevOps engineer \/ SRE (supporting integration platforms)<\/li>\n<li>Security engineer (reviewing identity, secrets, networking)<\/li>\n<li>Solutions architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Google Cloud certifications don\u2019t typically certify a single product like Integration Connectors, but relevant certifications include:\n&#8211; Professional Cloud Architect\n&#8211; Professional Cloud Developer\n&#8211; Professional Cloud DevOps Engineer<\/p>\n\n\n\n<p>Use Integration Connectors knowledge as part of broader integration and application development competency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201ccustomer sync\u201d integration:<\/li>\n<li>Source: CRM connector<\/li>\n<li>Target: PostgreSQL connector<\/li>\n<li>Include retries, deduplication, and alerting<\/li>\n<li>Implement a \u201cticket enrichment\u201d workflow:<\/li>\n<li>Source: ITSM connector<\/li>\n<li>Enrich from an internal DB<\/li>\n<li>Update ticket + notify<\/li>\n<li>Create an environment promotion workflow:<\/li>\n<li>Dev connection \u2192 test connection \u2192 prod connection<\/li>\n<li>Use separate projects and strict IAM boundaries<\/li>\n<li>Build a cost dashboard:<\/li>\n<li>Track integration executions, connector calls, and logging volume<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Connector<\/strong>: A managed integration adapter that knows how to communicate with a specific system (SaaS or data source).<\/li>\n<li><strong>Connection<\/strong>: A regional configuration resource that binds a connector to a specific endpoint + credentials + networking setup.<\/li>\n<li><strong>Control plane<\/strong>: The configuration layer (creating\/updating connections, IAM).<\/li>\n<li><strong>Data plane<\/strong>: The runtime execution path where connector calls actually reach the target systems.<\/li>\n<li><strong>Private connectivity<\/strong>: Networking that allows access to private IP resources without exposing them publicly.<\/li>\n<li><strong>Private Service Access (PSA)<\/strong>: A VPC peering-based method used by some managed services (like Cloud SQL private IP) to connect to your VPC.<\/li>\n<li><strong>Endpoint attachment<\/strong>: A private connectivity construct sometimes used by managed services to attach to a VPC (verify current Integration Connectors terminology and setup).<\/li>\n<li><strong>Connectivity agent<\/strong>: An agent-based approach enabling outbound connectivity from on-prem\/private networks to Google-managed services (verify current name and requirements).<\/li>\n<li><strong>IAM (Identity and Access Management)<\/strong>: Google Cloud\u2019s access control system for users, groups, and service accounts.<\/li>\n<li><strong>Secret Manager<\/strong>: Google Cloud service for storing, versioning, and accessing secrets like passwords and API keys.<\/li>\n<li><strong>OAuth 2.0<\/strong>: Authorization framework commonly used by SaaS APIs.<\/li>\n<li><strong>Idempotency<\/strong>: Designing operations so repeating them does not create unintended side effects (critical for retries).<\/li>\n<li><strong>Rate limiting<\/strong>: SaaS APIs often limit request rates; integrations must handle throttling.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Integration Connectors in <strong>Google Cloud<\/strong> is a managed connectivity service for <strong>application development<\/strong> and enterprise integration. It provides prebuilt connectors and reusable <strong>connection<\/strong> resources that standardize endpoint configuration, authentication, and networking (including private and hybrid connectivity patterns).<\/p>\n\n\n\n<p>It matters because it reduces the time and risk of building custom connectors, improves operational consistency through IAM and audit logs, and supports real enterprise needs like private connectivity and credential governance.<\/p>\n\n\n\n<p>From a cost perspective, your main drivers are connector usage (per the current pricing SKUs), integration execution frequency, logging volume, and network egress\u2014plus indirect costs such as Cloud SQL when databases are involved. From a security perspective, focus on least-privilege IAM, secret management\/rotation, and private connectivity.<\/p>\n\n\n\n<p>Use Integration Connectors when you need governed, reusable connectivity to external systems as part of a broader integration platform (often with Application Integration). For simpler HTTP-only tasks, consider Workflows or custom code. Next, deepen your skills by building a production-grade integration with retries, idempotency, alerting, and environment isolation\u2014and validate everything against the latest official docs and pricing pages.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Application development<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54,51],"tags":[],"class_list":["post-608","post","type-post","status-publish","format-standard","hentry","category-application-development","category-google-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=608"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/608\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}