I have a Cloud SQL Postgres residing in a GCP project , let's call it project-A. The destination is a BQ dataset residing  in a different GCP project, let's call it project-B. I totally understand VPC peering is needed to setup CDC via  the Datastream managed service in GCP with source as Postgres and destination as BQ in this case but the real question is do i need a VPN or Interconnect, documentation is confusing. I am assuming VPN or Interconnect is only needed if the source DB is residing on-premises.

I also see that for VPC peering with private connectivity there is a need for a NAT VM as per the documentation and i don't understand the need for it. By virtue of the VPC peering connectivity within DataStream doesn't cloud sql instance have connectivity by default? Or is it because Cloud SQL instance resides in a Google managed VPC and the VPC peering gives access to resources deployed in the user defined VPC only and hence the need for VM?