{"id":656,"date":"2026-04-14T22:10:30","date_gmt":"2026-04-14T22:10:30","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-datastream-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-data-analytics-and-pipelines\/"},"modified":"2026-04-14T22:10:30","modified_gmt":"2026-04-14T22:10:30","slug":"google-cloud-datastream-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-data-analytics-and-pipelines","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-datastream-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-data-analytics-and-pipelines\/","title":{"rendered":"Google Cloud Datastream Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Data analytics and pipelines"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Data analytics and pipelines<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Datastream is a managed change data capture (CDC) and replication service on Google Cloud<\/strong>. It continuously captures changes from supported source databases (for example, PostgreSQL, MySQL, and Oracle) and delivers them to analytics destinations such as BigQuery<\/strong> or to Cloud Storage<\/strong> for downstream processing.<\/p>\n\n\n\n

In simple terms: Datastream helps you keep a near-real-time copy of your operational database changes flowing into your analytics platform, without you having to run and maintain your own CDC tooling, connectors, or Kafka infrastructure.<\/p>\n\n\n\n

Technically, Datastream establishes a secure connection to a source database, performs an optional initial backfill<\/strong> (historical snapshot), then continuously reads database logs (CDC) to emit insert\/update\/delete changes into a destination. You manage connection profiles<\/strong> and streams<\/strong> as regional resources, and Google Cloud operates the underlying CDC pipeline and scaling.<\/p>\n\n\n\n

Datastream solves a common problem in Data analytics and pipelines<\/strong>: getting reliable, low-ops, incremental data movement from transactional systems into analytics systems with predictable latency, strong observability, and fewer moving parts than self-managed replication stacks.<\/p>\n\n\n\n

2. What is Datastream?<\/h2>\n\n\n\n

Official purpose (what it\u2019s for)<\/strong>\nDatastream is Google Cloud\u2019s managed service for database replication and change data capture<\/strong> into Google Cloud destinations\u2014most commonly BigQuery<\/strong> for analytics and Cloud Storage<\/strong> for building data lakes and downstream pipelines. (Always confirm the latest supported sources\/destinations in the official docs, as support expands over time.)<\/p>\n\n\n\n

Core capabilities<\/strong>\n– Initial backfill<\/strong> of selected schemas\/tables (a consistent snapshot, subject to source engine capabilities and configuration).\n– Continuous CDC<\/strong> (capturing ongoing changes using database log mechanisms).\n– Object selection<\/strong> so you can choose which databases\/schemas\/tables to replicate.\n– Managed connectivity<\/strong> options for public or private networking (private is recommended for production).\n– Operational visibility<\/strong> into stream status, throughput\/latency metrics, and errors via Google Cloud observability tools.<\/p>\n\n\n\n

Major components<\/strong>\n– Connection profiles<\/strong>: Define how Datastream connects to a source<\/em> (database credentials, host, port, SSL settings) or a destination<\/em> (for example, BigQuery or Cloud Storage).\n– Streams<\/strong>: Define the replication job\u2014source profile + destination profile + selection rules + backfill settings + runtime state.\n– Private connectivity resources<\/strong> (if used): Datastream-managed private networking constructs that allow access to sources on private IPs (for example in a VPC or on-prem via VPN\/Interconnect). Exact terminology and setup steps can vary\u2014verify in official docs.<\/p>\n\n\n\n

Service type<\/strong>\n– Fully managed data replication \/ CDC<\/strong> service (control-plane managed by you, data-plane operated by Google Cloud).<\/p>\n\n\n\n

Scope and geography<\/strong>\n– Datastream resources (such as streams and connection profiles) are typically regional<\/strong> and belong to a Google Cloud project<\/strong>. You choose a region for Datastream, and you generally place sources\/destinations and networking close to that region for latency and cost reasons.\n Verify the exact regional availability and resource scoping in: https:\/\/cloud.google.com\/datastream\/docs\/locations<\/p>\n\n\n\n

How it fits into the Google Cloud ecosystem<\/strong>\nDatastream often sits between:\n– Operational databases<\/strong> (Cloud SQL, self-managed databases on Compute Engine, or on-prem databases reachable via Cloud VPN\/Interconnect)\nand\n– Analytics and storage destinations<\/strong> (BigQuery and Cloud Storage), where you can then use Dataflow<\/strong>, Dataproc<\/strong>, BigQuery SQL<\/strong>, or Dataplex<\/strong>\/governance tooling to build end-to-end pipelines.<\/p>\n\n\n\n

3. Why use Datastream?<\/h2>\n\n\n\n

Business reasons<\/h3>\n\n\n\n
    \n
  • Faster analytics<\/strong>: Get operational data into BigQuery with lower latency than batch exports.<\/li>\n
  • Lower engineering effort<\/strong>: Reduce the need to build and maintain custom CDC pipelines.<\/li>\n
  • Better data timeliness for decisions<\/strong>: Near-real-time dashboards and operational reporting.<\/li>\n<\/ul>\n\n\n\n

    Technical reasons<\/h3>\n\n\n\n
      \n
    • Managed CDC<\/strong> avoids running Debezium\/Kafka Connect clusters or homegrown log parsers.<\/li>\n
    • Backfill + CDC in one service<\/strong> reduces multi-tool complexity.<\/li>\n
    • Destination alignment with Google Cloud analytics<\/strong> (BigQuery and Cloud Storage) streamlines architectures.<\/li>\n<\/ul>\n\n\n\n

      Operational reasons<\/h3>\n\n\n\n
        \n
      • Less infrastructure to patch and scale<\/strong> compared to self-managed connectors.<\/li>\n
      • Centralized monitoring and logging<\/strong> via Cloud Monitoring and Cloud Logging.<\/li>\n
      • Declarative configuration<\/strong> (streams\/profiles) encourages repeatability.<\/li>\n<\/ul>\n\n\n\n

        Security\/compliance reasons<\/h3>\n\n\n\n
          \n
        • Supports private networking patterns (recommended) to avoid exposing databases publicly.<\/li>\n
        • Integrates with Google Cloud IAM, audit logs, and (depending on destination) encryption controls.<\/li>\n
        • Helps implement \u201cleast privilege\u201d by using dedicated database users and scoped BigQuery permissions.<\/li>\n<\/ul>\n\n\n\n

          Scalability\/performance reasons<\/h3>\n\n\n\n
            \n
          • Designed to handle continuous change volumes without you provisioning ingestion clusters.<\/li>\n
          • Scales operationally as a managed service (though you still must plan for source database impact and destination ingestion costs\/limits).<\/li>\n<\/ul>\n\n\n\n

            When teams should choose Datastream<\/h3>\n\n\n\n

            Choose Datastream if you need:\n– CDC from supported relational sources into BigQuery\/Cloud Storage\n– A managed replication service with operational simplicity\n– A pattern that fits Google Cloud-native analytics and governance<\/p>\n\n\n\n

            When teams should not choose Datastream<\/h3>\n\n\n\n

            Avoid (or reconsider) Datastream if:\n– Your source engine\/version isn\u2019t supported.\n– You need a destination not supported (for example, direct Kafka topics or arbitrary HTTP sinks). You may need Cloud Storage + Dataflow or a different tool.\n– You require complex transformations inline during capture (Datastream is primarily replication\/CDC; transformations are typically downstream in Dataflow\/BigQuery).\n– You need multi-master conflict resolution or bidirectional replication (Datastream is typically one-way replication).<\/p>\n\n\n\n

            4. Where is Datastream used?<\/h2>\n\n\n\n

            Industries<\/h3>\n\n\n\n
              \n
            • Retail\/e-commerce: orders, inventory, pricing changes into BigQuery<\/li>\n
            • Financial services: transaction events into analytics (with strong security controls)<\/li>\n
            • Healthcare: operational system extracts into governed analytics environments<\/li>\n
            • SaaS: product usage events stored in relational DBs replicated to BigQuery<\/li>\n
            • Gaming\/media: player\/session data replicated for near-real-time insights<\/li>\n<\/ul>\n\n\n\n

              Team types<\/h3>\n\n\n\n
                \n
              • Data engineering teams building analytics pipelines<\/li>\n
              • Platform teams standardizing ingestion patterns<\/li>\n
              • SRE\/operations teams reducing bespoke replication tooling<\/li>\n
              • Security teams enforcing secure connectivity and auditability<\/li>\n<\/ul>\n\n\n\n

                Workloads<\/h3>\n\n\n\n
                  \n
                • Near-real-time BI (BigQuery + Looker)<\/li>\n
                • Operational analytics (freshness in minutes)<\/li>\n
                • Data lake landing zones (Cloud Storage) + downstream processing<\/li>\n
                • Migration\/modernization: run old and new systems in parallel while replicating data<\/li>\n<\/ul>\n\n\n\n

                  Architectures<\/h3>\n\n\n\n
                    \n
                  • OLTP \u2192 CDC \u2192 BigQuery (analytics)<\/li>\n
                  • OLTP \u2192 CDC \u2192 Cloud Storage \u2192 Dataflow \u2192 BigQuery (custom transforms)<\/li>\n
                  • On-prem DB \u2192 CDC \u2192 Google Cloud landing zone (hybrid)<\/li>\n<\/ul>\n\n\n\n

                    Real-world deployment contexts<\/h3>\n\n\n\n
                      \n
                    • Production<\/strong>: private connectivity, least-privilege IAM, strong monitoring, explicit cost controls<\/li>\n
                    • Dev\/test<\/strong>: smaller datasets, limited table selection, shorter retention, more frequent teardown<\/li>\n<\/ul>\n\n\n\n

                      5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                      Below are realistic scenarios where Datastream commonly fits.<\/p>\n\n\n\n

                      1) Near-real-time operational reporting in BigQuery<\/h3>\n\n\n\n
                        \n
                      • Problem<\/strong>: Batch ETL (nightly) is too slow for business users.<\/li>\n
                      • Why Datastream fits<\/strong>: Managed CDC keeps BigQuery updated continuously.<\/li>\n
                      • Example<\/strong>: Customer support dashboard shows order status changes within minutes.<\/li>\n<\/ul>\n\n\n\n

                        2) Building a Cloud Storage landing zone (raw CDC lake)<\/h3>\n\n\n\n
                          \n
                        • Problem<\/strong>: You want raw change logs for replay, audits, or multiple downstream consumers.<\/li>\n
                        • Why Datastream fits<\/strong>: Can deliver to Cloud Storage for flexible processing (verify formats supported for your configuration).<\/li>\n
                        • Example<\/strong>: Store CDC files in Cloud Storage, then run Dataflow pipelines for multiple marts.<\/li>\n<\/ul>\n\n\n\n

                          3) Modernizing analytics from on-prem databases<\/h3>\n\n\n\n
                            \n
                          • Problem<\/strong>: On-prem Oracle\/PostgreSQL is hard to scale for analytics workloads.<\/li>\n
                          • Why Datastream fits<\/strong>: CDC over hybrid connectivity moves data continuously to Google Cloud.<\/li>\n
                          • Example<\/strong>: On-prem Oracle changes stream to BigQuery via Datastream, while apps remain on-prem.<\/li>\n<\/ul>\n\n\n\n

                            4) Keeping a serving layer updated<\/h3>\n\n\n\n
                              \n
                            • Problem<\/strong>: You need a denormalized dataset for APIs or search, derived from relational DB changes.<\/li>\n
                            • Why Datastream fits<\/strong>: CDC provides timely updates you can transform downstream.<\/li>\n
                            • Example<\/strong>: Datastream \u2192 Cloud Storage \u2192 Dataflow \u2192 (destination of your choice) for serving.<\/li>\n<\/ul>\n\n\n\n

                              5) Incremental data ingestion for ML feature pipelines<\/h3>\n\n\n\n
                                \n
                              • Problem<\/strong>: ML features in BigQuery are stale due to batch loads.<\/li>\n
                              • Why Datastream fits<\/strong>: Fresh updates to feature tables using CDC ingestion.<\/li>\n
                              • Example<\/strong>: Fraud model features update as transactions change.<\/li>\n<\/ul>\n\n\n\n

                                6) Reducing load on production databases<\/h3>\n\n\n\n
                                  \n
                                • Problem<\/strong>: Analytics queries on OLTP cause performance issues.<\/li>\n
                                • Why Datastream fits<\/strong>: Replicate changes to BigQuery; query BigQuery instead.<\/li>\n
                                • Example<\/strong>: Product managers query BigQuery instead of hitting the primary DB.<\/li>\n<\/ul>\n\n\n\n

                                  7) Event-driven analytics without rewriting apps<\/h3>\n\n\n\n
                                    \n
                                  • Problem<\/strong>: Legacy apps write only to a relational DB, not to an event bus.<\/li>\n
                                  • Why Datastream fits<\/strong>: CDC effectively produces an event stream derived from DB logs.<\/li>\n
                                  • Example<\/strong>: Order updates become CDC events used downstream for metrics and alerting.<\/li>\n<\/ul>\n\n\n\n

                                    8) Data validation during migrations<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: You need to compare old system data vs new system data continuously.<\/li>\n
                                    • Why Datastream fits<\/strong>: Replicate to BigQuery, then run validation queries.<\/li>\n
                                    • Example<\/strong>: Cloud SQL (new) vs on-prem DB (old) differences tracked in BigQuery.<\/li>\n<\/ul>\n\n\n\n

                                      9) Multi-environment test data refresh (subset)<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Test environments need recent production-like data without full dumps.<\/li>\n
                                      • Why Datastream fits<\/strong>: Select only required tables\/schemas and replicate to a non-prod BigQuery dataset.<\/li>\n
                                      • Example<\/strong>: A small subset of customer and product tables replicated nightly + CDC (if allowed).<\/li>\n<\/ul>\n\n\n\n

                                        10) Building an audit trail of row-level changes<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: You need traceability of how records changed over time.<\/li>\n
                                        • Why Datastream fits<\/strong>: CDC produces change events that can be stored and queried.<\/li>\n
                                        • Example<\/strong>: Append-only history tables in BigQuery created from CDC.<\/li>\n<\/ul>\n\n\n\n

                                          11) Cost-optimized ingestion with downstream batching<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: You want CDC but also want to batch downstream transformations for cost.<\/li>\n
                                          • Why Datastream fits<\/strong>: Capture continuously, transform on schedule (Dataflow\/BigQuery).<\/li>\n
                                          • Example<\/strong>: Datastream to Cloud Storage; scheduled BigQuery loads every 15 minutes.<\/li>\n<\/ul>\n\n\n\n

                                            12) Centralized ingestion standard for many app databases<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Each team built its own connector; operations are inconsistent.<\/li>\n
                                            • Why Datastream fits<\/strong>: A single managed ingestion pattern using standard IAM, monitoring, and governance.<\/li>\n
                                            • Example<\/strong>: Platform team offers Datastream streams as a self-service capability.<\/li>\n<\/ul>\n\n\n\n

                                              6. Core Features<\/h2>\n\n\n\n

                                              The exact feature set can evolve. Confirm current details in the official docs: https:\/\/cloud.google.com\/datastream\/docs<\/p>\n\n\n\n

                                              1) Change Data Capture (CDC)<\/h3>\n\n\n\n
                                                \n
                                              • What it does<\/strong>: Continuously captures inserts\/updates\/deletes from source DB logs.<\/li>\n
                                              • Why it matters<\/strong>: Provides near-real-time data freshness for analytics and downstream processing.<\/li>\n
                                              • Practical benefit<\/strong>: Fewer full reloads; reduced load on sources and destinations.<\/li>\n
                                              • Caveats<\/strong>: Requires correct source configuration (replication\/logging settings, privileges). CDC can increase WAL\/binlog\/redo log retention needs.<\/li>\n<\/ul>\n\n\n\n

                                                2) Initial Backfill (historical load)<\/h3>\n\n\n\n
                                                  \n
                                                • What it does<\/strong>: Copies existing table contents to the destination before CDC keeps it updated.<\/li>\n
                                                • Why it matters<\/strong>: Avoids the \u201cstart from now only\u201d limitation.<\/li>\n
                                                • Practical benefit<\/strong>: You get complete tables plus ongoing changes.<\/li>\n
                                                • Caveats<\/strong>: Backfill can be time-consuming and can load the source. Plan maintenance windows and throttle if supported (verify in official docs).<\/li>\n<\/ul>\n\n\n\n

                                                  3) Connection profiles (source and destination)<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does<\/strong>: Stores connectivity details (host\/port\/credentials, SSL, etc.) for endpoints.<\/li>\n
                                                  • Why it matters<\/strong>: Separation of concerns\u2014reuse profiles across streams; simplify rotations and changes.<\/li>\n
                                                  • Practical benefit<\/strong>: Standardized onboarding for multiple sources\/destinations.<\/li>\n
                                                  • Caveats<\/strong>: Treat credentials as sensitive. Prefer secret management patterns and least privilege.<\/li>\n<\/ul>\n\n\n\n

                                                    4) Stream configuration and object selection<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does<\/strong>: Defines which schemas\/tables (and sometimes columns\u2014verify) to replicate.<\/li>\n
                                                    • Why it matters<\/strong>: Limits replication to what you actually need, controlling cost and risk.<\/li>\n
                                                    • Practical benefit<\/strong>: Reduce destination clutter and ingestion spend.<\/li>\n
                                                    • Caveats<\/strong>: Changes to selection rules can require stream updates; ensure you understand how backfill behaves when adding objects.<\/li>\n<\/ul>\n\n\n\n

                                                      5) Private connectivity options<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does<\/strong>: Allows Datastream to reach sources on private networks (VPC, on-prem via VPN\/Interconnect) without exposing them to the public internet.<\/li>\n
                                                      • Why it matters<\/strong>: Stronger security posture and simpler compliance alignment.<\/li>\n
                                                      • Practical benefit<\/strong>: No public IP on databases; fewer firewall exceptions.<\/li>\n
                                                      • Caveats<\/strong>: Requires VPC planning, routing, and sometimes IP range allocations. Setup varies by scenario\u2014verify the current recommended method in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                        6) BigQuery destination support<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does<\/strong>: Writes replicated data into BigQuery datasets\/tables for analytics.<\/li>\n
                                                        • Why it matters<\/strong>: Removes the need to build custom ingestion into BigQuery.<\/li>\n
                                                        • Practical benefit<\/strong>: Faster time to value for analytics.<\/li>\n
                                                        • Caveats<\/strong>: Understand table\/metadata behavior, schema mapping, and how deletes\/updates are represented. Verify the exact BigQuery output model in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                          7) Cloud Storage destination support<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does<\/strong>: Writes change events and\/or backfill outputs into Cloud Storage.<\/li>\n
                                                          • Why it matters<\/strong>: Cloud Storage is a flexible landing zone for many pipeline patterns.<\/li>\n
                                                          • Practical benefit<\/strong>: You can replay and reprocess CDC data with Dataflow\/Dataproc\/BigQuery external tables.<\/li>\n
                                                          • Caveats<\/strong>: You must design downstream consumption, partitioning, and lifecycle policies. Output formats and file layout can vary\u2014verify in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                            8) Monitoring, status, and error reporting<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Exposes stream health, lag, throughput, and error conditions.<\/li>\n
                                                            • Why it matters<\/strong>: CDC pipelines must be observable to be trusted.<\/li>\n
                                                            • Practical benefit<\/strong>: Faster incident response and capacity planning.<\/li>\n
                                                            • Caveats<\/strong>: Metrics availability and names can change; confirm what\u2019s emitted in Cloud Monitoring.<\/li>\n<\/ul>\n\n\n\n

                                                              9) IAM and auditability<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Uses Google Cloud IAM to control who can create\/modify streams and who can view them, and logs admin activities.<\/li>\n
                                                              • Why it matters<\/strong>: CDC touches sensitive data and production systems.<\/li>\n
                                                              • Practical benefit<\/strong>: Principle of least privilege and governance alignment.<\/li>\n
                                                              • Caveats<\/strong>: You must also secure the source database credentials and the destination datasets\/buckets.<\/li>\n<\/ul>\n\n\n\n

                                                                7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                High-level service architecture<\/h3>\n\n\n\n

                                                                Datastream operates as a managed CDC pipeline:\n1. You configure connection profiles<\/strong> to the source database and destination (BigQuery or Cloud Storage).\n2. You create a stream<\/strong> that defines selection rules and whether to backfill.\n3. Datastream connects to the source, performs backfill (if enabled), then switches to CDC mode.\n4. Changes are delivered continuously to the destination.<\/p>\n\n\n\n

                                                                Request\/data\/control flow<\/h3>\n\n\n\n
                                                                  \n
                                                                • Control plane<\/strong>: You (or CI\/CD) call the Datastream API\/Console to create\/update streams and profiles.<\/li>\n
                                                                • Data plane<\/strong>: Datastream reads from the source database\u2019s replication mechanism and writes to the destination.<\/li>\n
                                                                • Observability plane<\/strong>: Stream state and errors appear in Cloud Logging\/Monitoring.<\/li>\n<\/ul>\n\n\n\n

                                                                  Integrations with related services<\/h3>\n\n\n\n

                                                                  Common patterns in Google Cloud:\n– BigQuery<\/strong>: Analytics destination (dashboards, ad-hoc SQL, ML).\n– Cloud Storage<\/strong>: Landing zone for raw CDC files.\n– Dataflow<\/strong>: Transform and load CDC outputs into curated tables (especially when using Cloud Storage destination).\n– Cloud SQL \/ Compute Engine \/ on-prem<\/strong>: Source database hosting.\n– Cloud VPN \/ Cloud Interconnect<\/strong>: Hybrid connectivity to on-prem sources.\n– Cloud Monitoring + Cloud Logging<\/strong>: Alerts, dashboards, and audit trails.\n– Dataplex<\/strong> (optional): Governance over datasets and storage zones (verify best practices for CDC data).<\/p>\n\n\n\n

                                                                  Dependency services (typical)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • Source database and its replication\/logging config<\/li>\n
                                                                  • Networking (VPC, firewall rules, routes; possibly Service Networking \/ Private Service Connect depending on connectivity mode)<\/li>\n
                                                                  • Destination service (BigQuery dataset permissions, Cloud Storage bucket permissions)<\/li>\n
                                                                  • IAM policies for administrators and service agents<\/li>\n<\/ul>\n\n\n\n

                                                                    Security\/authentication model<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Google Cloud IAM<\/strong> controls management operations (create stream, update profile, view).<\/li>\n
                                                                    • Datastream uses a Google-managed service agent<\/strong> in your project to access destinations (and possibly to manage some resources). You grant permissions to that service agent for BigQuery\/Cloud Storage as required.<\/li>\n
                                                                    • Access to the source database is authenticated using database credentials (user\/password) and optionally TLS certificates, depending on the engine and configuration.<\/li>\n<\/ul>\n\n\n\n

                                                                      Networking model<\/h3>\n\n\n\n

                                                                      Two common approaches:\n– Private connectivity (recommended for production)<\/strong>: Datastream reaches the source over private IP addressing via VPC\/hybrid connectivity.\n– Public IP connectivity<\/strong>: Datastream reaches the source over public internet, typically requiring IP allowlisting and TLS. This is simpler for labs but riskier for production.<\/p>\n\n\n\n

                                                                      The exact connectivity setup depends on source type and location. Always follow the current Datastream connectivity guide: https:\/\/cloud.google.com\/datastream\/docs\/configure-connectivity<\/p>\n\n\n\n

                                                                      Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Create Cloud Monitoring alerts on stream failure, lag, or throughput drops.<\/li>\n
                                                                      • Export logs to a SIEM if needed.<\/li>\n
                                                                      • Apply data governance to destination datasets\/buckets (labels, retention, access controls).<\/li>\n
                                                                      • Treat CDC as sensitive: changes can include PII and secrets if present in the DB.<\/li>\n<\/ul>\n\n\n\n

                                                                        Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                        flowchart LR\n  A[(Source DB\\nPostgreSQL\/MySQL\/Oracle)] -->|CDC + optional backfill| B[Datastream (regional)]\n  B --> C[(BigQuery)]\n  B --> D[(Cloud Storage)]\n<\/code><\/pre>\n\n\n\n
                                                                        Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                        flowchart TB\n  subgraph OnPrem[\"On\u2011prem \/ Self-managed network\"]\n    DB[(Production DB)]\n  end\n\n  subgraph GCP[\"Google Cloud project\"]\n    VPN[Cloud VPN \/ Interconnect]\n    VPC[VPC Network]\n    DS[Datastream (Region)]\n    BQ[(BigQuery Datasets)]\n    GCS[(Cloud Storage Landing Bucket)]\n    DF[Dataflow (optional transforms)]\n    MON[Cloud Monitoring + Logging]\n    KMS[Cloud KMS (dest encryption controls)]\n  end\n\n  DB --- VPN --- VPC\n  VPC -->|Private connectivity| DS\n  DS --> BQ\n  DS --> GCS\n  GCS --> DF --> BQ\n  DS --> MON\n  BQ --> MON\n  GCS --> MON\n  KMS -.-> BQ\n  KMS -.-> GCS\n<\/code><\/pre>\n\n\n\n
                                                                        8. Prerequisites<\/h2>\n\n\n\n
                                                                        Google Cloud account\/project<\/h3>\n\n\n\n
                                                                          \n
                                                                        • A Google Cloud project<\/strong> with billing enabled<\/strong>.<\/li>\n
                                                                        • You should choose a region where Datastream is available. Verify regions: https:\/\/cloud.google.com\/datastream\/docs\/locations<\/li>\n<\/ul>\n\n\n\n
                                                                          Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                          You need permissions to:\n– Enable APIs\n– Create and manage Datastream resources (streams, connection profiles, private connectivity)\n– Create\/manage BigQuery datasets and tables (or at least grant permissions to Datastream\u2019s service agent)\n– Create\/manage Cloud SQL if you use it as a source (for the lab)<\/p>\n\n\n\n
                                                                          Typical roles (verify exact role names and best-practice combinations):\n– Datastream administration: check IAM roles at https:\/\/cloud.google.com\/datastream\/docs\/access-control\n– BigQuery permissions: roles\/bigquery.admin<\/code> (broad) or dataset-scoped permissions for least privilege\n– Cloud SQL admin: roles\/cloudsql.admin<\/code> (for the lab)<\/p>\n\n\n\n
                                                                          Billing requirements<\/h3>\n\n\n\n
                                                                          Costs may come from:\n– Datastream usage\n– BigQuery storage and query costs\n– Cloud SQL instance\/runtime costs\n– Cloud Storage (if used)\n– Dataflow (if used)\n– Network egress (depending on topology)<\/p>\n\n\n\n
                                                                          Tools<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Google Cloud Console<\/strong> access<\/li>\n
                                                                          • gcloud CLI<\/strong> installed and authenticated: https:\/\/cloud.google.com\/sdk\/docs\/install<\/li>\n
                                                                          • A SQL client (for PostgreSQL: psql<\/code>) for inserting sample data<\/li>\n<\/ul>\n\n\n\n
                                                                            APIs to enable<\/h3>\n\n\n\n
                                                                            Typically:\n– Datastream API\n– BigQuery API\n– Cloud SQL Admin API\n– Compute Engine API (often required for networking\/VPC operations)\n– Service Networking API (if using Cloud SQL private IP)<\/p>\n\n\n\n
                                                                            Enable only what you use.<\/p>\n\n\n\n
                                                                            Quotas\/limits<\/h3>\n\n\n\n
                                                                            Datastream, BigQuery, and Cloud SQL each have quotas (streams per project\/region, connection limits, BigQuery ingestion\/storage limits, etc.). Review:\n– Datastream quotas\/limits: verify in official docs\n– BigQuery quotas: https:\/\/cloud.google.com\/bigquery\/quotas\n– Cloud SQL limits: https:\/\/cloud.google.com\/sql\/quotas<\/p>\n\n\n\n
                                                                            Prerequisite services (for this tutorial lab)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Cloud SQL for PostgreSQL (source)<\/li>\n
                                                                            • BigQuery dataset (destination)<\/li>\n
                                                                            • A VPC network (for private connectivity in the lab)<\/li>\n<\/ul>\n\n\n\n
                                                                              9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                              Datastream pricing is usage-based<\/strong> and depends on factors such as:\n– Amount of data processed for backfill<\/strong>\n– Ongoing CDC change volume<\/strong> (bytes processed)\n– Potentially other dimensions depending on the product\u2019s current SKUs (for example, regional pricing differences)<\/p>\n\n\n\n
                                                                              Because pricing and SKUs can change and vary by region, always validate on the official pages:\n– Datastream pricing: https:\/\/cloud.google.com\/datastream\/pricing\n– Google Cloud Pricing Calculator: https:\/\/cloud.google.com\/products\/calculator<\/p>\n\n\n\n
                                                                              Pricing dimensions (typical cost drivers)<\/h3>\n\n\n\n
                                                                                \n
                                                                              1. CDC volume<\/strong>: The more row changes (and larger rows), the more Datastream processes.<\/li>\n
                                                                              2. Backfill volume<\/strong>: Initial snapshot size can be large and cost significant.<\/li>\n
                                                                              3. Region<\/strong>: Pricing can differ by region.<\/li>\n
                                                                              4. Destination costs<\/strong>:\n   – BigQuery<\/strong>: storage, streaming\/ingestion behavior (implementation-specific), and queries by users.\n   – Cloud Storage<\/strong>: object storage, operations, lifecycle, and retrieval.<\/li>\n
                                                                              5. Source costs<\/strong>:\n   – Source DB CPU\/IO overhead from replication\/log reading.\n   – WAL\/binlog\/redo retention and storage overhead.<\/li>\n
                                                                              6. Network costs<\/strong>:\n   – Cross-region data transfer can add cost.\n   – Hybrid egress (on-prem to cloud) may incur network charges depending on connectivity.<\/li>\n<\/ol>\n\n\n\n
                                                                                Free tier<\/h3>\n\n\n\n
                                                                                Datastream free-tier availability can change. Verify in official pricing docs<\/strong> whether any free tier or trial credits apply.<\/p>\n\n\n\n
                                                                                Hidden or indirect costs to plan for<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • BigQuery query spend (analysts exploring newly replicated datasets can generate costs quickly).<\/li>\n
                                                                                • Cloud SQL sizing (logical decoding\/replication overhead can require larger instances or more storage).<\/li>\n
                                                                                • Cloud Storage lifecycle misconfiguration (retaining raw CDC files forever).<\/li>\n
                                                                                • Cross-region replication (placing Datastream in a different region than source\/destination).<\/li>\n
                                                                                • Operational overhead: alerts, dashboards, and incident response time (even managed services need ops).<\/li>\n<\/ul>\n\n\n\n
                                                                                  How to optimize cost<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Replicate only what you need (schemas\/tables; possibly columns\u2014verify).<\/li>\n
                                                                                  • Avoid replicating huge historical tables unless needed; consider staged backfill.<\/li>\n
                                                                                  • Place Datastream in the same region as destination and near the source network entry point.<\/li>\n
                                                                                  • If using Cloud Storage as a landing zone, set lifecycle policies (for example, transition\/delete older CDC files).<\/li>\n
                                                                                  • In BigQuery, partition\/cluster curated tables and control who can run expensive queries.<\/li>\n<\/ul>\n\n\n\n
                                                                                    Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                                    A starter lab typically includes:\n– A small Cloud SQL instance\n– A small BigQuery dataset\n– One Datastream stream replicating one schema with a few small tables and low CDC volume<\/p>\n\n\n\n
                                                                                    To estimate:\n1. Use the Pricing Calculator for Cloud SQL hourly cost.\n2. Add Datastream estimated processed GB for backfill + daily changes.\n3. Add BigQuery storage for replicated tables and expected query usage.<\/p>\n\n\n\n
                                                                                    Because actual SKUs and volumes vary, do not rely on fixed numbers<\/strong>\u2014use the calculator and measure real change volume.<\/p>\n\n\n\n
                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                    In production, the main drivers are:\n– Large backfills (TB-scale)\n– High-velocity CDC (many updates\/sec)\n– Multiple streams for many databases\n– BigQuery downstream query usage (often the largest ongoing spend)<\/p>\n\n\n\n
                                                                                    A practical approach:\n– Start with one \u201cpilot\u201d stream, measure bytes processed and freshness, then extrapolate.\n– Set budgets and alerts in Google Cloud Billing.\n– Enforce table selection standards to prevent replicating entire databases by default.<\/p>\n\n\n\n
                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                    This lab builds a small but real CDC pipeline:\n– Source<\/strong>: Cloud SQL for PostgreSQL (private IP)\n– Replication<\/strong>: Datastream stream with backfill + CDC\n– Destination<\/strong>: BigQuery dataset<\/p>\n\n\n\n
                                                                                    The goal is to keep cost low while using production-aligned patterns (private connectivity, least privilege).<\/p>\n\n\n\n
                                                                                    Objective<\/h3>\n\n\n\n
                                                                                    Create a Datastream stream that replicates a PostgreSQL table from Cloud SQL into BigQuery, validate by inserting rows and observing them appear in BigQuery, then clean up all resources.<\/p>\n\n\n\n
                                                                                    Lab Overview<\/h3>\n\n\n\n
                                                                                    You will:\n1. Create networking required for Cloud SQL private IP.\n2. Create a Cloud SQL for PostgreSQL instance and configure logical replication.\n3. Create a sample database\/table and a dedicated replication user.\n4. Create a BigQuery dataset.\n5. Create Datastream connection profiles (source\/destination).\n6. Create a Datastream stream with backfill + CDC.\n7. Validate data appears in BigQuery.\n8. Troubleshoot common issues.\n9. Clean up resources to avoid ongoing costs.<\/p>\n\n\n\n
                                                                                    \n
                                                                                    Notes before you begin:\n– Datastream is regional. Pick one region and keep Cloud SQL and BigQuery dataset in that region\/multi-region as appropriate.\n– Some flags\/settings differ by PostgreSQL version and Cloud SQL capabilities. If anything conflicts, follow Cloud SQL + Datastream official docs for PostgreSQL sources.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                    Step 1: Select project, region, and enable APIs<\/h3>\n\n\n\n
                                                                                    1) Set variables (replace placeholders):<\/p>\n\n\n\n
                                                                                    export PROJECT_ID=\"YOUR_PROJECT_ID\"\nexport REGION=\"us-central1\"   # choose a Datastream-supported region\nexport ZONE=\"us-central1-a\"\ngcloud config set project \"${PROJECT_ID}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    2) Enable required APIs:<\/p>\n\n\n\n
                                                                                    gcloud services enable \\\n  datastream.googleapis.com \\\n  bigquery.googleapis.com \\\n  sqladmin.googleapis.com \\\n  compute.googleapis.com \\\n  servicenetworking.googleapis.com\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: APIs are enabled successfully.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    gcloud services list --enabled --filter=\"name:datastream.googleapis.com\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Step 2: Create a VPC and subnet (for private connectivity)<\/h3>\n\n\n\n
                                                                                    Create a dedicated VPC for the lab:<\/p>\n\n\n\n
                                                                                    export VPC_NAME=\"ds-lab-vpc\"\nexport SUBNET_NAME=\"ds-lab-subnet\"\nexport SUBNET_RANGE=\"10.10.0.0\/24\"\n\ngcloud compute networks create \"${VPC_NAME}\" --subnet-mode=custom\n\ngcloud compute networks subnets create \"${SUBNET_NAME}\" \\\n  --network=\"${VPC_NAME}\" \\\n  --region=\"${REGION}\" \\\n  --range=\"${SUBNET_RANGE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: VPC and subnet exist in your project.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    gcloud compute networks describe \"${VPC_NAME}\"\ngcloud compute networks subnets describe \"${SUBNET_NAME}\" --region \"${REGION}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Step 3: Reserve an IP range and enable Private Service Access (for Cloud SQL private IP)<\/h3>\n\n\n\n
                                                                                    Cloud SQL private IP requires a reserved range and a Service Networking connection.<\/p>\n\n\n\n
                                                                                    1) Reserve an internal range for Google-managed services:<\/p>\n\n\n\n
                                                                                    export PSA_RANGE_NAME=\"ds-lab-psa-range\"\n\ngcloud compute addresses create \"${PSA_RANGE_NAME}\" \\\n  --global \\\n  --purpose=VPC_PEERING \\\n  --prefix-length=16 \\\n  --network=\"${VPC_NAME}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    2) Create the Service Networking connection:<\/p>\n\n\n\n
                                                                                    gcloud services vpc-peerings connect \\\n  --service=servicenetworking.googleapis.com \\\n  --network=\"${VPC_NAME}\" \\\n  --ranges=\"${PSA_RANGE_NAME}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: The VPC has Private Service Access configured.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    gcloud services vpc-peerings list --network=\"${VPC_NAME}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Step 4: Create a Cloud SQL for PostgreSQL instance (private IP)<\/h3>\n\n\n\n
                                                                                    1) Create the instance (choose a small tier for cost). PostgreSQL version selection matters\u2014use a Datastream-supported version (verify in Datastream docs for PostgreSQL support matrix).<\/p>\n\n\n\n
                                                                                    export SQL_INSTANCE=\"ds-lab-pg\"\nexport DB_VERSION=\"POSTGRES_15\"   # example; verify supported versions for Datastream\nexport TIER=\"db-custom-1-3840\"    # example small tier; adjust as needed\n\ngcloud sql instances create \"${SQL_INSTANCE}\" \\\n  --database-version=\"${DB_VERSION}\" \\\n  --tier=\"${TIER}\" \\\n  --region=\"${REGION}\" \\\n  --network=\"projects\/${PROJECT_ID}\/global\/networks\/${VPC_NAME}\" \\\n  --no-assign-ip\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: Cloud SQL instance is created with private IP only.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    gcloud sql instances describe \"${SQL_INSTANCE}\" --format=\"value(ipAddresses.ipAddress,settings.ipConfiguration.ipv4Enabled)\"\n<\/code><\/pre>\n\n\n\n
                                                                                    You should see an IP address and ipv4Enabled<\/code> should indicate public IP is not enabled.<\/p>\n\n\n\n
                                                                                    Step 5: Configure PostgreSQL for logical replication and create sample data<\/h3>\n\n\n\n
                                                                                    Datastream needs PostgreSQL logical decoding enabled and a user with suitable privileges.<\/p>\n\n\n\n
                                                                                    5.1 Set Cloud SQL flags for logical decoding (PostgreSQL)<\/h4>\n\n\n\n
                                                                                    Cloud SQL uses database flags (exact flags depend on version). Common requirements:\n– Enable logical decoding (Cloud SQL-specific flag)\n– Ensure adequate replication slots \/ WAL senders<\/p>\n\n\n\n
                                                                                    Set flags (verify the exact flag names for your Cloud SQL version in official docs; this step is commonly required):<\/p>\n\n\n\n
                                                                                    gcloud sql instances patch \"${SQL_INSTANCE}\" \\\n  --database-flags=cloudsql.logical_decoding=on\n<\/code><\/pre>\n\n\n\n
                                                                                    If your source requires additional flags like max_replication_slots<\/code> or max_wal_senders<\/code>, add them per Cloud SQL guidance (verify in official docs).<\/p>\n\n\n\n
                                                                                    Expected outcome<\/strong>: Instance is patched; it may require a restart.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    gcloud sql instances describe \"${SQL_INSTANCE}\" --format=\"value(settings.databaseFlags)\"\n<\/code><\/pre>\n\n\n\n
                                                                                    5.2 Set a password for the default postgres user (if needed)<\/h4>\n\n\n\n
                                                                                    Cloud SQL often creates a default postgres<\/code> user. Set a password you\u2019ll use temporarily:<\/p>\n\n\n\n
                                                                                    export POSTGRES_PASSWORD=\"REPLACE_WITH_A_STRONG_PASSWORD\"\ngcloud sql users set-password postgres \\\n  --instance=\"${SQL_INSTANCE}\" \\\n  --password=\"${POSTGRES_PASSWORD}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    5.3 Connect to the instance and create a database\/table<\/h4>\n\n\n\n
                                                                                    To connect privately, use one of these:\n– A VM in the same VPC, or\n– Cloud Shell with a configured path (Cloud Shell isn\u2019t in your VPC by default), or\n– A temporary bastion VM<\/p>\n\n\n\n
                                                                                    A simple approach is to create a tiny VM in the same VPC and connect from there.<\/p>\n\n\n\n
                                                                                    Create a small VM:<\/p>\n\n\n\n
                                                                                    export VM_NAME=\"ds-lab-vm\"\n\ngcloud compute instances create \"${VM_NAME}\" \\\n  --zone=\"${ZONE}\" \\\n  --machine-type=\"e2-micro\" \\\n  --network=\"${VPC_NAME}\" \\\n  --subnet=\"${SUBNET_NAME}\" \\\n  --scopes=\"https:\/\/www.googleapis.com\/auth\/cloud-platform\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Find the Cloud SQL private IP:<\/p>\n\n\n\n
                                                                                    export SQL_PRIVATE_IP=\"$(gcloud sql instances describe \"${SQL_INSTANCE}\" --format='value(ipAddresses.ipAddress)')\"\necho \"${SQL_PRIVATE_IP}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    SSH into the VM:<\/p>\n\n\n\n
                                                                                    gcloud compute ssh \"${VM_NAME}\" --zone=\"${ZONE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    On the VM, install psql<\/code> client (Debian\/Ubuntu example):<\/p>\n\n\n\n
                                                                                    sudo apt-get update\nsudo apt-get install -y postgresql-client\n<\/code><\/pre>\n\n\n\n
                                                                                    Connect using psql<\/code>:<\/p>\n\n\n\n
                                                                                    export PGPASSWORD=\"REPLACE_WITH_A_STRONG_PASSWORD\"\npsql -h SQL_PRIVATE_IP -U postgres -d postgres\n<\/code><\/pre>\n\n\n\n
                                                                                    Inside psql<\/code>, create a database and table:<\/p>\n\n\n\n
                                                                                    CREATE DATABASE ds_lab;\n\\c ds_lab\n\nCREATE TABLE public.customers (\n  customer_id  BIGSERIAL PRIMARY KEY,\n  email        TEXT NOT NULL,\n  created_at   TIMESTAMPTZ NOT NULL DEFAULT now()\n);\n\nINSERT INTO public.customers (email) VALUES\n  ('alice@example.com'),\n  ('bob@example.com');\n\nSELECT * FROM public.customers;\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: You have a ds_lab<\/code> database and a customers<\/code> table with 2 rows.<\/p>\n\n\n\n
                                                                                    5.4 Create a dedicated Datastream user<\/h4>\n\n\n\n
                                                                                    Still inside psql<\/code>, create a user for Datastream. Exact permissions can differ; generally it needs:\n– Ability to connect to the database\n– SELECT on replicated tables (for backfill)\n– Replication\/logical decoding privileges<\/p>\n\n\n\n
                                                                                    Create the user (verify required roles\/privileges in official docs for Datastream PostgreSQL source):<\/p>\n\n\n\n
                                                                                    CREATE USER datastream_user WITH PASSWORD 'REPLACE_WITH_STRONG_PASSWORD';\n\nGRANT CONNECT ON DATABASE ds_lab TO datastream_user;\nGRANT USAGE ON SCHEMA public TO datastream_user;\nGRANT SELECT ON ALL TABLES IN SCHEMA public TO datastream_user;\nALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO datastream_user;\n\n-- Replication privilege (may be required)\nALTER USER datastream_user WITH REPLICATION;\n<\/code><\/pre>\n\n\n\n
                                                                                    Exit psql<\/code>:<\/p>\n\n\n\n
                                                                                    \\q\n<\/code><\/pre>\n\n\n\n
                                                                                    Exit the VM SSH session:<\/p>\n\n\n\n
                                                                                    exit\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: A least-privilege user exists for Datastream to read and replicate.<\/p>\n\n\n\n
                                                                                    Step 6: Create a BigQuery dataset (destination)<\/h3>\n\n\n\n
                                                                                    Create a dataset in BigQuery (choose location aligned with your region strategy):<\/p>\n\n\n\n
                                                                                    export BQ_DATASET=\"ds_lab\"\nbq --location=\"${REGION}\" mk -d \\\n  --description \"Datastream lab dataset\" \\\n  \"${PROJECT_ID}:${BQ_DATASET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Expected outcome<\/strong>: BigQuery dataset exists.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>:<\/p>\n\n\n\n
                                                                                    bq show \"${PROJECT_ID}:${BQ_DATASET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    Step 7: Grant BigQuery permissions to the Datastream service agent<\/h3>\n\n\n\n
                                                                                    Datastream writes into BigQuery using a Google-managed identity (service agent). You must grant it sufficient permissions on the dataset (or project). The exact service agent format and required roles can vary\u2014verify in official docs:\n– Datastream IAM\/access control: https:\/\/cloud.google.com\/datastream\/docs\/access-control<\/p>\n\n\n\n
                                                                                    Typical pattern:\n– Find your project number\n– Identify the Datastream service agent\n– Grant dataset-level permissions (preferred) instead of project-wide<\/p>\n\n\n\n
                                                                                    Get project number:<\/p>\n\n\n\n
                                                                                    export PROJECT_NUMBER=\"$(gcloud projects describe \"${PROJECT_ID}\" --format='value(projectNumber)')\"\necho \"${PROJECT_NUMBER}\"\n<\/code><\/pre>\n\n\n\n
                                                                                    The Datastream service agent commonly looks like:<\/p>\n\n\n\n
                                                                                    service-PROJECT_NUMBER@gcp-sa-datastream.iam.gserviceaccount.com\n<\/code><\/pre>\n\n\n\n
                                                                                    Grant dataset access (dataset-level IAM). BigQuery dataset IAM via bq<\/code> can be managed, but many teams do this in the Console for clarity:\n– BigQuery \u2192 Dataset \u2192 Sharing \u2192 Permissions \u2192 Add principal (service agent) \u2192 assign role<\/p>\n\n\n\n
                                                                                    Role guidance:\n– Minimum required roles depend on how Datastream creates\/updates tables. Many labs use a broader role for simplicity, then tighten for production.\n– For least privilege, grant only what\u2019s required to create and write tables in that dataset. Verify required roles in official docs<\/strong>.<\/p>\n\n\n\n
                                                                                    Expected outcome<\/strong>: Datastream can create\/write tables in the dataset.<\/p>\n\n\n\n
                                                                                    Step 8: Create Datastream connection profiles (Console-recommended for accuracy)<\/h3>\n\n\n\n
                                                                                    Because CLI flags can change, the most robust beginner path is the Console.<\/p>\n\n\n\n
                                                                                    1) Go to Datastream in Google Cloud Console:\nhttps:\/\/console.cloud.google.com\/datastream<\/p>\n\n\n\n
                                                                                    2) Ensure you\u2019re in the correct project<\/strong> and region<\/strong>.<\/p>\n\n\n\n
                                                                                    8.1 Create a source connection profile (PostgreSQL)<\/h4>\n\n\n\n
                                                                                      \n
                                                                                    • Datastream \u2192 Connection profiles<\/strong> \u2192 Create profile<\/strong><\/li>\n
                                                                                    • Type: PostgreSQL<\/strong><\/li>\n
                                                                                    • Connectivity: choose Private connectivity<\/strong> (recommended)<\/li>\n
                                                                                    • Hostname\/IP: Cloud SQL private IP<\/strong><\/li>\n
                                                                                    • Port: 5432<\/code><\/li>\n
                                                                                    • Username: datastream_user<\/code><\/li>\n
                                                                                    • Password: the password you set<\/li>\n
                                                                                    • Database: ds_lab<\/code><\/li>\n
                                                                                    • TLS\/SSL: configure per your security posture (for Cloud SQL private IP, TLS is still recommended; verify required settings)<\/li>\n<\/ul>\n\n\n\n
                                                                                      Test the connection in the UI (Datastream typically provides a \u201cTest\u201d button).<\/p>\n\n\n\n
                                                                                      Expected outcome<\/strong>: Connection test succeeds and profile is created.<\/p>\n\n\n\n
                                                                                      8.2 Create a destination connection profile (BigQuery)<\/h4>\n\n\n\n
                                                                                        \n
                                                                                      • Datastream \u2192 Connection profiles<\/strong> \u2192 Create profile<\/strong><\/li>\n
                                                                                      • Type: BigQuery<\/strong><\/li>\n
                                                                                      • Choose dataset: ds_lab<\/code> (or allow Datastream to create datasets depending on UI options)<\/li>\n
                                                                                      • Save<\/li>\n<\/ul>\n\n\n\n
                                                                                        Expected outcome<\/strong>: Destination profile created.<\/p>\n\n\n\n
                                                                                        Step 9: Configure private connectivity in Datastream (if required by your setup)<\/h3>\n\n\n\n
                                                                                        Depending on the current Datastream UI flow, you may need to create a private connection<\/strong> resource that attaches Datastream to your VPC\/subnet.<\/p>\n\n\n\n
                                                                                          \n
                                                                                        • Datastream \u2192 Private connectivity<\/strong> (or similar) \u2192 Create<\/strong><\/li>\n
                                                                                        • Select:<\/li>\n
                                                                                        • VPC: ds-lab-vpc<\/code><\/li>\n
                                                                                        • Subnet: ds-lab-subnet<\/code><\/li>\n
                                                                                        • Region: same as your Datastream resources<\/li>\n<\/ul>\n\n\n\n
                                                                                          Expected outcome<\/strong>: Private connectivity becomes READY\/ACTIVE.<\/p>\n\n\n\n
                                                                                          Common issue<\/strong>: If the private connection cannot be established, check:\n– IAM permissions\n– Overlapping IP ranges\n– VPC peering limits\n– Regional mismatches<\/p>\n\n\n\n
                                                                                          (Exact diagnostics vary; consult Datastream connectivity docs.)<\/p>\n\n\n\n
                                                                                          Step 10: Create a Datastream stream (backfill + CDC)<\/h3>\n\n\n\n
                                                                                          1) Datastream \u2192 Streams<\/strong> \u2192 Create stream<\/strong>\n2) Select:\n   – Source connection profile: your PostgreSQL profile\n   – Destination connection profile: your BigQuery profile\n3) Configure object selection<\/strong>:\n   – Database: ds_lab<\/code>\n   – Schema: public<\/code>\n   – Tables: customers<\/code> (only)\n4) Backfill:\n   – Enable backfill for selected objects (recommended so BigQuery gets the existing two rows)\n5) Review and create the stream.\n6) Start\/Run the stream (depending on UI state model).<\/p>\n\n\n\n
                                                                                          Expected outcome<\/strong>: Stream transitions to RUNNING and begins backfill, then CDC.<\/p>\n\n\n\n
                                                                                          Step 11: Generate changes in PostgreSQL and observe in BigQuery<\/h3>\n\n\n\n
                                                                                          1) SSH to the VM again and insert\/update\/delete rows:<\/p>\n\n\n\n
                                                                                          gcloud compute ssh \"${VM_NAME}\" --zone=\"${ZONE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                          Run:<\/p>\n\n\n\n
                                                                                          export PGPASSWORD=\"REPLACE_WITH_A_STRONG_PASSWORD\"\npsql -h SQL_PRIVATE_IP -U postgres -d ds_lab\n<\/code><\/pre>\n\n\n\n
                                                                                          In psql<\/code>:<\/p>\n\n\n\n
                                                                                          INSERT INTO public.customers (email) VALUES ('carol@example.com');\nUPDATE public.customers SET email='alice+new@example.com' WHERE email='alice@example.com';\nDELETE FROM public.customers WHERE email='bob@example.com';\nSELECT * FROM public.customers ORDER BY customer_id;\n<\/code><\/pre>\n\n\n\n
                                                                                          Exit:<\/p>\n\n\n\n
                                                                                          \\q\n<\/code><\/pre>\n\n\n\n
                                                                                          Exit VM:<\/p>\n\n\n\n
                                                                                          exit\n<\/code><\/pre>\n\n\n\n
                                                                                          2) In BigQuery, query the replicated table(s).\nIn the BigQuery Console: https:\/\/console.cloud.google.com\/bigquery<\/p>\n\n\n\n
                                                                                          Run a query against the expected table created by Datastream in dataset ds_lab<\/code>.<\/p>\n\n\n\n
                                                                                          Because naming conventions can vary (and may include schema\/database prefixes), locate the table in the dataset and run:<\/p>\n\n\n\n
                                                                                          SELECT * FROM `YOUR_PROJECT_ID.ds_lab.YOUR_TABLE_NAME` LIMIT 100;\n<\/code><\/pre>\n\n\n\n
                                                                                          Expected outcome<\/strong>: You see rows reflecting the backfill + subsequent inserts\/updates\/deletes, consistent with Datastream\u2019s BigQuery replication model.<\/p>\n\n\n\n
                                                                                          \n
                                                                                          Important: How updates\/deletes appear depends on Datastream\u2019s BigQuery write semantics (for example, merge vs append\/change tables). Verify the exact BigQuery output model in official docs<\/strong> and align your downstream queries accordingly.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                          Validation<\/h3>\n\n\n\n
                                                                                          Use the following checks:<\/p>\n\n\n\n
                                                                                          1) Datastream stream health<\/strong>\n– Datastream \u2192 Streams \u2192 your stream\n– Status: RUNNING\n– Backfill: completed (if enabled)\n– Errors: none<\/p>\n\n\n\n
                                                                                          2) Source database<\/strong>\n– Rows changed as expected:<\/p>\n\n\n\n
                                                                                          SELECT count(*) FROM public.customers;\n<\/code><\/pre>\n\n\n\n
                                                                                          3) Destination BigQuery<\/strong>\n– Replicated table exists in dataset ds_lab<\/code>\n– Query returns expected data with reasonable freshness<\/p>\n\n\n\n
                                                                                          4) Observability<\/strong>\n– Cloud Logging: filter for Datastream logs (service name) and verify no repeated failures.\n– Cloud Monitoring: look for Datastream metrics if exposed in your environment (names may vary).<\/p>\n\n\n\n
                                                                                          Troubleshooting<\/h3>\n\n\n\n
                                                                                          Common issues and realistic fixes:<\/p>\n\n\n\n
                                                                                          1) Connection test fails (source)<\/strong>\n– Cause: VPC\/private connectivity not established, wrong IP\/port, firewall rules, wrong credentials.\n– Fix:\n  – Ensure Cloud SQL has private IP and is in the correct VPC.\n  – Ensure Datastream private connectivity is READY and matches region.\n  – Re-check username\/password and database name.<\/p>\n\n\n\n
                                                                                          2) PostgreSQL replication\/logical decoding errors<\/strong>\n– Cause: logical decoding not enabled; missing privileges; insufficient WAL settings.\n– Fix:\n  – Confirm Cloud SQL flag for logical decoding is enabled and instance restarted if required.\n  – Ensure datastream_user<\/code> has required privileges (including REPLICATION if required by Datastream).\n  – Verify PostgreSQL version support in Datastream docs.<\/p>\n\n\n\n
                                                                                          3) Backfill succeeds but CDC doesn\u2019t (or vice versa)<\/strong>\n– Cause: replication slot\/log retention issues; permissions; stream state.\n– Fix:\n  – Check stream details for lag\/errors.\n  – Confirm source log retention is sufficient and replication slot is healthy.\n  – Verify no network interruption.<\/p>\n\n\n\n
                                                                                          4) BigQuery permission denied<\/strong>\n– Cause: Datastream service agent lacks dataset permissions.\n– Fix:\n  – Grant required dataset permissions to the Datastream service agent.\n  – Verify you used the correct service agent principal for the project.<\/p>\n\n\n\n
                                                                                          5) No table appears in BigQuery<\/strong>\n– Cause: object selection rules exclude table; stream not running; backfill disabled; permission issues.\n– Fix:\n  – Confirm selection includes ds_lab.public.customers<\/code>.\n  – Ensure stream is RUNNING.\n  – Re-check destination profile and dataset location\/permissions.<\/p>\n\n\n\n
                                                                                          Cleanup<\/h3>\n\n\n\n
                                                                                          To avoid ongoing charges, delete all lab resources.<\/p>\n\n\n\n
                                                                                          1) Stop and delete the Datastream stream (Console recommended):\n– Datastream \u2192 Streams \u2192 select stream \u2192 Stop (if required) \u2192 Delete<\/p>\n\n\n\n
                                                                                          2) Delete connection profiles and private connectivity resources:\n– Datastream \u2192 Connection profiles \u2192 Delete source and destination profiles\n– Datastream \u2192 Private connectivity \u2192 Delete private connection (if created)<\/p>\n\n\n\n
                                                                                          3) Delete BigQuery dataset:<\/p>\n\n\n\n
                                                                                          bq rm -r -d \"${PROJECT_ID}:${BQ_DATASET}\"\n<\/code><\/pre>\n\n\n\n
                                                                                          4) Delete Cloud SQL instance:<\/p>\n\n\n\n
                                                                                          gcloud sql instances delete \"${SQL_INSTANCE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                          5) Delete VM:<\/p>\n\n\n\n
                                                                                          gcloud compute instances delete \"${VM_NAME}\" --zone=\"${ZONE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                          6) Delete VPC and related resources:<\/p>\n\n\n\n
                                                                                          gcloud compute networks subnets delete \"${SUBNET_NAME}\" --region \"${REGION}\"\ngcloud compute networks delete \"${VPC_NAME}\"\ngcloud compute addresses delete \"${PSA_RANGE_NAME}\" --global\n<\/code><\/pre>\n\n\n\n
                                                                                          7) Optional: disable APIs if this project is only for labs.<\/p>\n\n\n\n
                                                                                          11. Best Practices<\/h2>\n\n\n\n
                                                                                          Architecture best practices<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Choose the right destination<\/strong>:<\/li>\n
                                                                                          • BigQuery for immediate analytics<\/li>\n
                                                                                          • Cloud Storage for raw landing + replay + multiple downstreams<\/li>\n
                                                                                          • Keep region alignment<\/strong>: Place Datastream near the source network and destination to reduce latency and data transfer costs.<\/li>\n
                                                                                          • Plan for schema evolution<\/strong>: Expect DDL changes; define operational procedures for schema changes and verify how Datastream propagates them for your source\/destination.<\/li>\n
                                                                                          • Design downstream models<\/strong>: Decide whether you want:<\/li>\n
                                                                                          • Current-state tables, or<\/li>\n
                                                                                          • Change-history tables, or<\/li>\n
                                                                                          • Both (often via downstream transformations)<\/li>\n<\/ul>\n\n\n\n
                                                                                            IAM\/security best practices<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Use dedicated Datastream admin\/operator roles<\/strong> rather than broad project Owner.<\/li>\n
                                                                                            • Grant dataset-scoped<\/strong> BigQuery permissions to Datastream\u2019s service agent (avoid project-wide roles when possible).<\/li>\n
                                                                                            • Use a dedicated DB user with the minimum privileges<\/strong> required for backfill + CDC.<\/li>\n
                                                                                            • Rotate DB credentials and document rotation steps.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Cost best practices<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Replicate only required tables; avoid \u201cwhole database\u201d replication by default.<\/li>\n
                                                                                              • Plan backfills carefully (time windows, object selection).<\/li>\n
                                                                                              • If landing to Cloud Storage, apply lifecycle policies<\/strong> and retention controls.<\/li>\n
                                                                                              • Set budgets and alerts<\/strong> for BigQuery query spend and Datastream usage.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Performance best practices<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Ensure the source DB is configured for CDC load: adequate WAL\/binlog retention, IO capacity, and replication settings.<\/li>\n
                                                                                                • Avoid excessive table selection changes that trigger large re-backfills.<\/li>\n
                                                                                                • For BigQuery, create curated, partitioned tables downstream for efficient querying.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Reliability best practices<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Monitor stream state and lag; alert on failures.<\/li>\n
                                                                                                  • Use private connectivity for stable networking and security.<\/li>\n
                                                                                                  • Document runbooks for restart\/recreate scenarios.<\/li>\n
                                                                                                  • Test schema changes and failover behavior in staging.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Operations best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Standardize naming:<\/li>\n
                                                                                                    • ds-{env}-{source}-{region}<\/code> for streams<\/li>\n
                                                                                                    • cp-{env}-{system}-{role}<\/code> for connection profiles<\/li>\n
                                                                                                    • Apply labels\/tags for cost allocation (env, app, owner, data-domain).<\/li>\n
                                                                                                    • Use least privilege and separation of duties: creators vs viewers vs auditors.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Governance best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Treat replicated datasets as governed assets:<\/li>\n
                                                                                                      • Data classification labels (PII, PCI, etc.)<\/li>\n
                                                                                                      • Controlled sharing and authorized views in BigQuery<\/li>\n
                                                                                                      • Data retention policies aligned with compliance<\/li>\n<\/ul>\n\n\n\n
                                                                                                        12. Security Considerations<\/h2>\n\n\n\n
                                                                                                        Identity and access model<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Google Cloud IAM<\/strong> controls who can create\/modify Datastream resources.<\/li>\n
                                                                                                        • Datastream uses a service agent<\/strong> to access destinations (BigQuery\/Cloud Storage). Grant it only the permissions it needs.<\/li>\n
                                                                                                        • Source authentication uses database credentials; protect and rotate them.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Encryption<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • In transit: use TLS where supported\/required between Datastream and source.<\/li>\n
                                                                                                          • At rest: BigQuery and Cloud Storage encrypt data by default. For higher control, consider CMEK where supported by the destination services.\n  For Datastream-specific CMEK support, verify in official docs<\/strong> (do not assume it applies to every resource type).<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Network exposure<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Prefer private connectivity<\/strong> so databases do not need public IP access.<\/li>\n
                                                                                                            • If public connectivity is unavoidable:<\/li>\n
                                                                                                            • Use TLS<\/li>\n
                                                                                                            • Restrict ingress using allowlists (Datastream egress IPs per region\u2014verify in official docs)<\/li>\n
                                                                                                            • Monitor connections closely<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Secrets handling<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Avoid hardcoding DB passwords in scripts or repos.<\/li>\n
                                                                                                              • Use Secret Manager to store credentials and enforce access controls; implement a rotation process.<\/li>\n
                                                                                                              • Ensure only CI\/CD service accounts with a need have access to secrets.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Audit\/logging<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Enable and retain:<\/li>\n
                                                                                                                • Cloud Audit Logs for Datastream admin activity<\/li>\n
                                                                                                                • Cloud SQL audit\/logging as needed<\/li>\n
                                                                                                                • BigQuery audit logs (data access logs if required for compliance; note cost\/volume implications)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Compliance considerations<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • CDC often includes sensitive attributes. Replicate only what\u2019s allowed.<\/li>\n
                                                                                                                  • Ensure data residency requirements align with chosen regions.<\/li>\n
                                                                                                                  • Use dataset-level sharing controls and authorized views in BigQuery to implement least-privilege consumption.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Common security mistakes<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Exposing the source DB to the public internet for convenience.<\/li>\n
                                                                                                                    • Granting overly broad BigQuery roles (project-wide admin).<\/li>\n
                                                                                                                    • Replicating entire schemas that include secrets\/PII unintentionally.<\/li>\n
                                                                                                                    • No monitoring\/alerts on stream failure (silent data freshness issues).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Use private connectivity + least privilege + monitoring by default.<\/li>\n
                                                                                                                      • Create a security review checklist for each new stream:<\/li>\n
                                                                                                                      • Data classification<\/li>\n
                                                                                                                      • Object selection<\/li>\n
                                                                                                                      • Destination access controls<\/li>\n
                                                                                                                      • Logging\/retention<\/li>\n
                                                                                                                      • Incident response ownership<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                        Always review the official \u201cknown limitations\u201d and \u201csupported sources\/destinations\u201d pages for your exact versions and regions.<\/p>\n\n\n\n
                                                                                                                        Common limitations\/gotchas in CDC\/replication projects:\n– Source support matrix<\/strong>: Not all DB engines\/versions\/editions are supported.\n– DDL\/schema changes<\/strong>: Handling of ALTER TABLE, renames, and type changes can be nuanced.\n– Large objects \/ special types<\/strong>: Some data types may map imperfectly to BigQuery or file outputs.\n– Primary keys<\/strong>: Replication semantics (especially updates\/deletes) often rely on stable keys.\n– Initial backfill impact<\/strong>: Backfill can generate significant load on the source and network.\n– Permissions<\/strong>: The source user must have enough privileges for snapshot + CDC.\n– WAL\/binlog retention<\/strong>: If logs are truncated before Datastream reads them, replication can break.\n– Latency expectations<\/strong>: \u201cNear-real-time\u201d still requires monitoring; spikes happen during backfill, schema changes, or source load.\n– Regional placement<\/strong>: Cross-region pipelines can add egress cost and latency.\n– Destination write model<\/strong>: BigQuery replication model can differ from \u201cexact mirror table.\u201d Verify how changes are represented and how to query current state.\n– Operational ownership<\/strong>: Even managed CDC needs clear ownership for failures, schema issues, and access reviews.<\/p>\n\n\n\n
                                                                                                                        14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                        Datastream is one option in a broader data ingestion landscape.<\/p>\n\n\n\n
                                                                                                                        Comparison table<\/h3>\n\n\n\n
                                                                                                                        \n\n\n\n\n\n\n\n\n\n\n
                                                                                                                        Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                        Datastream (Google Cloud)<\/strong><\/td>\nManaged CDC from supported DBs to BigQuery\/Cloud Storage<\/td>\nLow ops, CDC + backfill, Google Cloud-native destinations<\/td>\nLimited to supported sources\/destinations; transformations usually downstream<\/td>\nYou want managed CDC into BigQuery\/Cloud Storage<\/td>\n<\/tr>\n
                                                                                                                        Dataflow (Google Cloud)<\/strong><\/td>\nCustom streaming\/batch ETL<\/td>\nPowerful transforms, many connectors, flexible pipelines<\/td>\nYou must build\/operate pipelines; CDC from DB logs usually needs extra tooling<\/td>\nYou need complex transforms and custom sinks<\/td>\n<\/tr>\n
                                                                                                                        BigQuery Data Transfer Service<\/strong><\/td>\nScheduled transfers from supported SaaS\/data sources<\/td>\nEasy managed scheduled loads<\/td>\nNot a general CDC tool for OLTP DB logs<\/td>\nYou need scheduled ingestion from supported transfer sources<\/td>\n<\/tr>\n
                                                                                                                        Database Migration Service (Google Cloud)<\/strong><\/td>\nDatabase migrations to Cloud SQL\/AlloyDB (and possibly continuous replication for migration)<\/td>\nMigration-focused workflows<\/td>\nNot primarily an analytics CDC to BigQuery<\/td>\nYou\u2019re migrating databases rather than building analytics CDC<\/td>\n<\/tr>\n
                                                                                                                        Self-managed Debezium + Kafka<\/strong><\/td>\nBroad CDC to many consumers<\/td>\nVery flexible, many sinks via Kafka ecosystem<\/td>\nHigh ops cost, scaling and security complexity<\/td>\nYou need multi-sink event streaming and accept ops burden<\/td>\n<\/tr>\n
                                                                                                                        AWS DMS<\/strong><\/td>\nCDC\/migration in AWS ecosystem<\/td>\nMature CDC and migration tool<\/td>\nBest integrated with AWS; cross-cloud adds complexity<\/td>\nYour platform is AWS-centric<\/td>\n<\/tr>\n
                                                                                                                        Azure Data Factory + CDC patterns<\/strong><\/td>\nData integration in Azure<\/td>\nStrong integration in Azure<\/td>\nCDC specifics vary; may require extra components<\/td>\nYour platform is Azure-centric<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                        15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                        Enterprise example: Retail analytics modernization<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Problem<\/strong>: A retailer runs on-prem Oracle for order processing. Analysts need near-real-time sales analytics in BigQuery and want to retire heavy reporting queries on the OLTP system.<\/li>\n
                                                                                                                        • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                        • On-prem Oracle \u2192 Datastream (private connectivity via Interconnect\/VPN) \u2192 BigQuery<\/li>\n
                                                                                                                        • Downstream: curated marts in BigQuery; dashboards in Looker<\/li>\n
                                                                                                                        • Monitoring and alerts for stream lag; strict dataset access controls for PII<\/li>\n
                                                                                                                        • Why Datastream was chosen<\/strong>:<\/li>\n
                                                                                                                        • Managed CDC reduces operational complexity versus self-managed connectors.<\/li>\n
                                                                                                                        • Direct alignment with BigQuery analytics.<\/li>\n
                                                                                                                        • Private connectivity supports compliance and avoids public database exposure.<\/li>\n
                                                                                                                        • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                        • Reduced OLTP reporting load<\/li>\n
                                                                                                                        • Data freshness improved from daily to minutes<\/li>\n
                                                                                                                        • Standardized ingestion and stronger governance<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Startup\/small-team example: SaaS product metrics in BigQuery<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Problem<\/strong>: A startup\u2019s PostgreSQL database is the system of record. They need near-real-time KPIs and cohort analysis without building a complex streaming platform.<\/li>\n
                                                                                                                          • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                          • Cloud SQL for PostgreSQL \u2192 Datastream \u2192 BigQuery dataset<\/li>\n
                                                                                                                          • Scheduled SQL transformations in BigQuery for curated tables<\/li>\n
                                                                                                                          • Basic monitoring alerts on stream failures<\/li>\n
                                                                                                                          • Why Datastream was chosen<\/strong>:<\/li>\n
                                                                                                                          • Fast setup, minimal ops<\/li>\n
                                                                                                                          • Fits a small team\u2019s capacity<\/li>\n
                                                                                                                          • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                          • Simple, reliable replication pipeline<\/li>\n
                                                                                                                          • Faster iteration on analytics models<\/li>\n
                                                                                                                          • Clear cost model focused on change volume and BigQuery usage<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            16. FAQ<\/h2>\n\n\n\n
                                                                                                                            1) Is Datastream an ETL tool?<\/strong>\nDatastream is primarily a CDC\/replication<\/strong> service. Transformations typically happen downstream (for example in Dataflow or BigQuery).<\/p>\n\n\n\n
                                                                                                                            2) Does Datastream do initial full loads?<\/strong>\nYes, it supports backfill<\/strong> (initial snapshot) for selected objects, then continues with CDC (verify backfill behavior for your source engine).<\/p>\n\n\n\n
                                                                                                                            3) Which databases can Datastream read from?<\/strong>\nCommon sources include PostgreSQL, MySQL, and Oracle, but support depends on version\/edition. Check the official support matrix: https:\/\/cloud.google.com\/datastream\/docs\/sources<\/p>\n\n\n\n
                                                                                                                            4) Can Datastream write directly to BigQuery?<\/strong>\nYes, BigQuery is a common destination. Confirm the current destination capabilities and semantics: https:\/\/cloud.google.com\/datastream\/docs\/destinations<\/p>\n\n\n\n
                                                                                                                            5) Can Datastream write to Pub\/Sub or Kafka directly?<\/strong>\nTypically Datastream targets BigQuery or Cloud Storage. For Pub\/Sub\/Kafka-style patterns, use Cloud Storage as a landing zone and transform\/forward using Dataflow (or choose a different CDC stack). Verify current destination support in docs.<\/p>\n\n\n\n
                                                                                                                            6) How fresh is the data in BigQuery?<\/strong>\nFreshness depends on change volume, source load, network, and stream health. Monitor lag\/freshness metrics rather than assuming a fixed SLA. Verify published SLAs (if any) in official documentation.<\/p>\n\n\n\n
                                                                                                                            7) Do I need a public IP on the source database?<\/strong>\nNo\u2014private connectivity is recommended. Public IP is possible in some scenarios but increases security risk and requires allowlisting.<\/p>\n\n\n\n
                                                                                                                            8) What happens if the stream goes down?<\/strong>\nDatastream will surface errors and stream state changes; recovery depends on the failure mode (connectivity, permissions, log retention). You should have alerts and runbooks.<\/p>\n\n\n\n
                                                                                                                            9) Does Datastream handle schema changes automatically?<\/strong>\nSchema evolution support depends on the source\/destination and change type. Always test DDL changes in staging and verify documented behavior.<\/p>\n\n\n\n
                                                                                                                            10) Will Datastream impact my production database performance?<\/strong>\nCDC reads logs and can increase IO\/CPU and log retention. Backfills can add significant read load. Plan capacity and test.<\/p>\n\n\n\n
                                                                                                                            11) How do deletes appear in BigQuery?<\/strong>\nRepresentation can vary (for example, tombstones, merge semantics, or change tables). Verify the BigQuery destination model in official docs and design queries accordingly.<\/p>\n\n\n\n
                                                                                                                            12) Can I replicate only some tables?<\/strong>\nYes, streams support object selection rules so you can include\/exclude objects.<\/p>\n\n\n\n
                                                                                                                            13) How do I secure database credentials?<\/strong>\nStore credentials in Secret Manager, restrict access, rotate regularly, and use dedicated least-privilege DB users.<\/p>\n\n\n\n
                                                                                                                            14) How do I estimate cost?<\/strong>\nEstimate backfill size + daily change volume, then use the Datastream pricing page and the Google Cloud Pricing Calculator. Remember BigQuery query costs can dominate.<\/p>\n\n\n\n
                                                                                                                            15) Is Datastream suitable for disaster recovery replication?<\/strong>\nDatastream is designed for analytics and pipeline replication patterns. DR requirements (RPO\/RTO, failover) may need database-native replication or specialized DR designs. Evaluate carefully.<\/p>\n\n\n\n
                                                                                                                            16) Can I run multiple streams from the same database?<\/strong>\nOften yes, but it depends on source limits (replication slots, connections) and Datastream quotas. Verify limits in official docs.<\/p>\n\n\n\n
                                                                                                                            17) What\u2019s the difference between Datastream and Database Migration Service?<\/strong>\nDatastream focuses on CDC into analytics\/storage destinations, while Database Migration Service focuses on migrating databases to managed database targets (and may support continuous replication for migration). Choose based on your goal.<\/p>\n\n\n\n
                                                                                                                            17. Top Online Resources to Learn Datastream<\/h2>\n\n\n\n
                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                            Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                            Official documentation<\/td>\nDatastream docs https:\/\/cloud.google.com\/datastream\/docs<\/td>\nPrimary reference for concepts, configuration, and supported sources\/destinations<\/td>\n<\/tr>\n
                                                                                                                            Official pricing<\/td>\nDatastream pricing https:\/\/cloud.google.com\/datastream\/pricing<\/td>\nCurrent pricing model and SKUs (region-dependent)<\/td>\n<\/tr>\n
                                                                                                                            Pricing calculator<\/td>\nGoogle Cloud Pricing Calculator https:\/\/cloud.google.com\/products\/calculator<\/td>\nBuild estimates including Datastream + BigQuery + Cloud SQL<\/td>\n<\/tr>\n
                                                                                                                            Locations<\/td>\nDatastream locations https:\/\/cloud.google.com\/datastream\/docs\/locations<\/td>\nVerify regional availability and plan deployments<\/td>\n<\/tr>\n
                                                                                                                            Connectivity guide<\/td>\nConfigure connectivity (Datastream) https:\/\/cloud.google.com\/datastream\/docs\/configure-connectivity<\/td>\nCanonical steps for private\/public connectivity patterns<\/td>\n<\/tr>\n
                                                                                                                            Access control<\/td>\nDatastream access control https:\/\/cloud.google.com\/datastream\/docs\/access-control<\/td>\nIAM roles, permissions, and service agent guidance<\/td>\n<\/tr>\n
                                                                                                                            Destinations<\/td>\nDatastream destinations https:\/\/cloud.google.com\/datastream\/docs\/destinations<\/td>\nUnderstand BigQuery\/Cloud Storage behaviors and constraints<\/td>\n<\/tr>\n
                                                                                                                            Sources<\/td>\nDatastream sources https:\/\/cloud.google.com\/datastream\/docs\/sources<\/td>\nVerify supported engines\/versions and required DB settings<\/td>\n<\/tr>\n
                                                                                                                            BigQuery quotas<\/td>\nBigQuery quotas https:\/\/cloud.google.com\/bigquery\/quotas<\/td>\nPlan ingestion\/query limits and avoid surprises<\/td>\n<\/tr>\n
                                                                                                                            Cloud SQL docs<\/td>\nCloud SQL for PostgreSQL docs https:\/\/cloud.google.com\/sql\/docs\/postgres<\/td>\nRequired flags and operational guidance for logical decoding\/replication<\/td>\n<\/tr>\n
                                                                                                                            Architecture Center<\/td>\nGoogle Cloud Architecture Center https:\/\/cloud.google.com\/architecture<\/td>\nPatterns for analytics pipelines, landing zones, and governance (search for Datastream-related references)<\/td>\n<\/tr>\n
                                                                                                                            Videos<\/td>\nGoogle Cloud Tech (YouTube) https:\/\/www.youtube.com\/@googlecloudtech<\/td>\nPractical demos and explanations (search within channel for \u201cDatastream\u201d)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                            18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                            \n\n\n\n\n\n\n\n\n
                                                                                                                            Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                            DevOpsSchool.com<\/td>\nCloud\/DevOps engineers, SREs, platform teams<\/td>\nGoogle Cloud operations, pipelines, automation; may include Datastream as part of data engineering<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                            ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nDevOps\/SCM fundamentals and adjacent cloud tooling<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                            CLoudOpsNow.in<\/td>\nCloud ops practitioners<\/td>\nCloud operations, monitoring, reliability practices<\/td>\nCheck website<\/td>\nhttps:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                            SreSchool.com<\/td>\nSREs and operations teams<\/td>\nReliability engineering, monitoring, incident response (useful for operating Datastream pipelines)<\/td>\nCheck website<\/td>\nhttps:\/\/sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                            AiOpsSchool.com<\/td>\nOps + automation practitioners<\/td>\nAIOps concepts, automation, monitoring analytics<\/td>\nCheck website<\/td>\nhttps:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                            19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                            \n\n\n\n\n\n\n\n
                                                                                                                            Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                            RajeshKumar.xyz<\/td>\nCloud\/DevOps training content (verify specific offerings)<\/td>\nEngineers seeking guided training<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                            devopstrainer.in<\/td>\nDevOps and cloud training<\/td>\nBeginners to intermediate DevOps practitioners<\/td>\nhttps:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                            devopsfreelancer.com<\/td>\nFreelance DevOps services\/training platform (verify offerings)<\/td>\nTeams needing short-term help or coaching<\/td>\nhttps:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                            devopssupport.in<\/td>\nDevOps support and guidance platform (verify offerings)<\/td>\nOps teams needing troubleshooting support<\/td>\nhttps:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                            20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                            \n\n\n\n\n\n\n
                                                                                                                            Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                            cotocus.com<\/td>\nCloud\/DevOps\/engineering services (verify specific portfolio)<\/td>\nArchitecture, implementation, and operations for cloud pipelines<\/td>\nDatastream proof-of-concept, secure connectivity setup, monitoring\/runbooks<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                            DevOpsSchool.com<\/td>\nDevOps and cloud consulting\/training organization<\/td>\nEnablement, platform practices, pipeline standardization<\/td>\nEstablishing standardized CDC ingestion patterns and operational governance<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                            DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services<\/td>\nCI\/CD, cloud ops, reliability and security practices<\/td>\nImplementing observability, IAM guardrails, and cost controls for data pipelines<\/td>\nhttps:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                            What to learn before Datastream<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Core Google Cloud fundamentals: projects, IAM, VPC networking, billing<\/li>\n
                                                                                                                            • Database fundamentals: PostgreSQL\/MySQL\/Oracle basics, backups, performance<\/li>\n
                                                                                                                            • Analytics basics: BigQuery datasets\/tables, partitioning, clustering, query costs<\/li>\n
                                                                                                                            • Security basics: least privilege, secret handling, audit logs<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              What to learn after Datastream<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Data modeling for analytics (dimensional modeling, wide tables vs normalized)<\/li>\n
                                                                                                                              • Dataflow for streaming\/batch transformations<\/li>\n
                                                                                                                              • Governance: Dataplex, policy tags, data classification workflows (as applicable)<\/li>\n
                                                                                                                              • Observability: SLOs for data freshness, alerting and incident management<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Data Engineer (ingestion and pipeline design)<\/li>\n
                                                                                                                                • Cloud Engineer \/ Platform Engineer (standardizing managed services)<\/li>\n
                                                                                                                                • Solutions Architect (hybrid + analytics architectures)<\/li>\n
                                                                                                                                • SRE\/Operations (monitoring and reliability for pipelines)<\/li>\n
                                                                                                                                • Security Engineer (secure connectivity and access controls)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                  Datastream is typically covered as part of broader Google Cloud certifications rather than a standalone certification. Consider:\n– Professional Data Engineer\n– Professional Cloud Architect\nAlways confirm current Google Cloud certification tracks: https:\/\/cloud.google.com\/learn\/certification<\/p>\n\n\n\n
                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Replicate a small PostgreSQL schema to BigQuery and build a Looker dashboard with freshness monitoring.<\/li>\n
                                                                                                                                  • Land CDC to Cloud Storage, then build a Dataflow pipeline to create a curated BigQuery model.<\/li>\n
                                                                                                                                  • Implement a \u201cschema change test harness\u201d in staging: apply DDL changes and document effects.<\/li>\n
                                                                                                                                  • Build cost controls: budgets, alerts, and automated teardown for dev streams.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • CDC (Change Data Capture)<\/strong>: Technique to capture row-level changes (insert\/update\/delete) from a database\u2019s logs.<\/li>\n
                                                                                                                                    • Backfill<\/strong>: Initial copy of existing table data before ongoing CDC begins.<\/li>\n
                                                                                                                                    • Connection profile<\/strong>: Datastream configuration that stores connectivity details for a source or destination.<\/li>\n
                                                                                                                                    • Stream<\/strong>: Datastream resource that defines replication behavior (source \u2192 destination, selection rules, backfill, state).<\/li>\n
                                                                                                                                    • Logical decoding (PostgreSQL)<\/strong>: PostgreSQL mechanism to decode WAL into logical change events for replication\/CDC.<\/li>\n
                                                                                                                                    • WAL (Write-Ahead Log)<\/strong>: PostgreSQL transaction log used for durability and replication.<\/li>\n
                                                                                                                                    • Binlog (MySQL)<\/strong>: MySQL binary log used for replication and CDC.<\/li>\n
                                                                                                                                    • Least privilege<\/strong>: Security principle of granting only the permissions needed to perform a task.<\/li>\n
                                                                                                                                    • Private IP \/ Private connectivity<\/strong>: Networking pattern where services communicate over internal IPs rather than public internet.<\/li>\n
                                                                                                                                    • Service agent<\/strong>: Google-managed service account used by a managed service to access resources in your project.<\/li>\n
                                                                                                                                    • Data freshness<\/strong>: How up-to-date the destination data is compared to the source.<\/li>\n
                                                                                                                                    • Landing zone<\/strong>: A raw ingestion area (often Cloud Storage) where data is first delivered before transformations.<\/li>\n
                                                                                                                                    • Data egress<\/strong>: Network traffic leaving a region or cloud boundary, often billable.<\/li>\n
                                                                                                                                    • Quotas<\/strong>: Service limits on resources or requests, enforced per project\/region\/account.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                      Datastream is Google Cloud\u2019s managed CDC and replication<\/strong> service in the Data analytics and pipelines<\/strong> category. It captures database changes (and optionally backfills historical data) and delivers them to BigQuery<\/strong> or Cloud Storage<\/strong>, enabling near-real-time analytics without running your own CDC infrastructure.<\/p>\n\n\n\n
                                                                                                                                      It matters because it reduces operational complexity for a common enterprise need: keeping analytics data fresh while minimizing load on production databases. Architecturally, it fits best as the ingestion layer between OLTP systems and Google Cloud analytics platforms, often combined with Dataflow\/BigQuery transformations and strong governance.<\/p>\n\n\n\n
                                                                                                                                      For cost, plan around backfill size<\/strong>, ongoing change volume<\/strong>, and downstream costs (especially BigQuery queries<\/strong>). For security, prioritize private connectivity<\/strong>, dedicated least-privilege database users, careful dataset permissions for the Datastream service agent, and monitoring\/alerts on stream health and freshness.<\/p>\n\n\n\n
                                                                                                                                      Use Datastream when you need managed CDC into Google Cloud-native analytics destinations; choose alternatives when you need unsupported sources\/destinations or heavy inline transformations. Next step: read the official connectivity and destination semantics docs, then extend the lab to Cloud Storage landing + Dataflow transformations for a production-grade pipeline.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                      Data analytics and pipelines<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59,51],"tags":[],"class_list":["post-656","post","type-post","status-publish","format-standard","hentry","category-data-analytics-and-pipelines","category-google-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=656"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/656\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}