Establish private connectivity using proxies

In this page, you learn how to use proxies to establish private connectivity between Database Migration Service and your data source. Your data source can be Cloud SQL or it can be a source that's hosted either in another Virtual Private Cloud (VPC) or outside of the Google Cloud network.

Private connectivity refers to a private, dedicated connection between your VPC network and the Database Migration Service private network, meaning no other customers can share the connection. The private connection lets Database Migration Service communicate with resources by using internal IP addresses.

You can use private connectivity to connect Database Migration Service to any source. However, only VPC networks that you peer together can communicate with each other.

Transitive peering isn't supported. If your source is hosted either in another VPC or outside of the Google Cloud network, and the VPC network to which Database Migration Service is peered doesn't have direct connectivity to the VPC or network that hosts the source, then you need a reverse proxy.

Set up a reverse proxy

If the Database Migration Service VPC network is peered with your VPC network, and your source is accessible from another VPC network, then Database Migration Service can't use only VPC network peering to communicate with the source. To bridge the connection between Database Migration Service and the source, you also need a reverse proxy.

The following diagram illustrates using a reverse proxy to establish a private connection between Database Migration Service and a source that's hosted outside of the Google Cloud network. In this diagram, VPC Network 1 is your VPC network and VPC Network 2 is the other VPC network from which your source is accessible.

Database Migration Service user flow diagram

To establish a private connection between Database Migration Service and Cloud SQL using a reverse proxy, follow these steps:

  1. Identify the VPC network through which you want Database Migration Service to connect to the source.

  2. In this VPC network, create a VM using the basic Debian or Ubuntu image. This VM hosts the reverse proxy.

  3. Verify that the subnet is in the same region as Database Migration Service, and that the reverse proxy forwards traffic to the source (and not from it).

  4. Confirm that your VM can communicate with the source by running ping or a telnet command from the VM to the source's internal IP address and port.

  5. To establish an SSH connection with the reverse proxy and create a file, use the following script:

    #! /bin/bash
    
    export DB_ADDR=SOURCE_PRIVATE_IP
    export DB_PORT=DATABASE_PORT
    
    # Enable the VM to receive packets whose destinations do
    # not match any running process local to the VM
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Ask the Metadata server for the IP address of the VM nic0
    # network interface:
    md_url_prefix="http://169.254.169.254/computeMetadata/v1/instance"
    vm_nic_ip="$(curl -H "Metadata-Flavor: Google" ${md_url_prefix}/network-interfaces/0/ip)"
    
    # Clear any existing iptables NAT table entries (all chains):
    iptables -t nat -F
    
    # Create a NAT table entry in the prerouting chain, matching
    # any packets with destination database port, changing the destination
    # IP address of the packet to your source instance IP address:
    iptables -t nat -A PREROUTING \
         -p tcp --dport $DB_PORT \
         -j DNAT \
         --to-destination $DB_ADDR
    
    # Create a NAT table entry in the postrouting chain, matching
    # any packets with destination database port, changing the source IP
    # address of the packet to the NAT VM's primary internal IPv4 address:
    iptables -t nat -A POSTROUTING \
         -p tcp --dport $DB_PORT \
         -j SNAT \
         --to-source $vm_nic_ip
    
    # Save iptables configuration:
    iptables-save
  6. Run the script.

  7. Create a private connectivity configuration in Database Migration Service to establish VPC peering between your VPC and the Database Migration Service VPC.

  8. Create a connection profile in Database Migration Service. For the connection details, enter the internal IP address and port of the VM that hosts the proxy.

What's next