Create a private connectivity configuration for the source database

This page describes how to create a private connectivity configuration. Private connectivity configuration is a Database Migration Service construct that helps you create a peering connection between Database Migration Service service network and the Virtual Private Cloud (VPC) network where your source's private IP can be reached. You create private connectivity configurations to establish private connections to your source Oracle database.

Before you begin

1. Ensure you have a Virtual Private Cloud network that meets the following requirements:
   • The VPC network doesn't have any peering restrictions.

   • The network must be the same network where your source database private IP is available.

     Transitive peering isn't supported. If your source is hosted either in another VPC or outside of your Google Cloud VPC network, and the VPC network to which Database Migration Service is peered doesn't have direct connectivity to the VPC or network that hosts the source, then you need a reverse proxy.

   • The VPC network has an available IP range with a minimum CIDR block of /29. Database Migration Service uses this IP range to create a subnet so that it can communicate with the source database.
2. Enable the Database Migration Service and Compute Engine APIs.

   Enable the APIs

Required roles

To get the permissions that you need to create a private connectivity configuration, ask your administrator to grant the following required IAM roles on your project for the following accounts involved in the migration process:

• User account that performs the migration:
  • Database Migration Admin (roles/datamigration.admin)
  • Compute Network Viewer (roles/compute.networkViewer)
• Database Migration Service service account:
  • Compute Network Admin (roles/compute.networkAdmin)

  The email address associated with the Database Migration Service service account is based on your Project number and uses the following format: service-[project_number]@gcp-sa-datamigration.iam.gserviceaccount.com.

For more information about granting roles, see Manage access in the Identity and Access Management documentation.

These predefined roles contain the permissions required to create a private connectivity configuration in Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:

You might also be able to get these permissions with custom roles or other predefined roles.

Create the configuration

To create a private connectivity configuration, follow these steps:

1. In the Google Cloud console, go to the Private connectivity configurations page.

   Go to Private connectivity configurations

2. Click Create configuration.

3. In the Configure private connectivity section, enter the display name for the configuration and select the region.

   Make sure you use the same region where your project Virtual Private Cloud network resides. It must be the same region where you intend to create the migration job and connection profiles. Database Migration Service is a fully-regional product, meaning all entities related to your migration (source and destination connection profiles, migration jobs, destination databases, conversion workspaces) must be saved in a single region.

4. From the Authorized VPC network drop-down menu, select the VPC that you want Database Migration Service to have private connectivity access. This VPC needs to be the network where your source SQL Server has a private IP assigned.

5. In the Allocate an IP range field, enter an IP range with a minimum CIDR block of /29. For example: 10.72.149.40/29.

   Database Migration Service creates a subnet based on that IP range in your selected VPC. We recommend that you consult your network administrator to acquire a suitable IP range.

   For testing purposes, you can also try to generate an IP range with Virtual Private Cloud private services access interface. Note that this automatic allocation isn't intended for Database Migration Service private connectivity configurations. You need to release the automatically allocated range before you use it in Database Migration Service. Expand the following section for more information.

   Example: generate an IP range with private services access

   You can generate an unoccupied IP range in your VPC network when you create a private services access setup. You can later release this range in the VPC configuration and use it for the Database Migration Service private connectivity configuration.

   To generate an unoccupied IP range, follow these steps:

   1. In the Google Cloud console, go to the VPC networks page.

      Go to VPC networks

   2. From the list of networks in your project, select the one where your source SQL Server database has a private IP assigned.
   3. Go to the Private services access tab and click Allocate IP range.
   4. In the Allocate an internal IP range window, enter the following:
      1. A display name in the Name field.
      2. Select the Automatic option and enter 29 for the prefix
      3. length.

      Result: Your VPC network allocates an empty IP range for private services access in your project.

   5. Check the Internal IP range value of the new allocated range. Note it down for later use in Database Migration Service.
   6. Select your new IP range from the list, and click Release.
   7. The generated IP range is now free for use in another subnet. Enter the range you noted down in the Allocate an IP range field when you create the private connectivity configuration in Database Migration Service.
6. Click Create.

The private connectivity configuration is now ready for use with a source connection profile.