Configure connectivity using VPNs

Overview

If your source database is inside a VPN (in AWS, for example, or your on-premises VPN), you also need to use a VPN on the destination side to connect to the source.

There are many VPN products you can use. The steps to configure VPNs vary from one product to another, but all of them are fundamentally similar. This section contains examples using AWS and Google Cloud VPNs.

The source database server's firewall must be configured to allow the entire internal IP range allocated for the private service connection of the VPC network that the Cloud SQL destination instance is going to use.

To find the internal IP range in the console:

  1. Go to the VPC networks page in the Google Cloud Console.

  2. Select the VPC network that you want to use.

  3. Select the PRIVATE SERVICE CONNECTION tab.

Example 1: AWS with Google Cloud Classic VPN with static routes

Find more complete, step-by-step documentation in the following links:

Put together, the overall sequence of steps looks like the following:

  1. In Google Cloud Console > VPC Networks > External IP addresses, reserve a static IP address to use for the Cloud VPN.
  2. In the AWS VPC console:
    1. Create a customer gateway.
    2. Create a new virtual private gateway or add an existing one to the VPC associated with your database.
    3. In Routes Tables add route propagation:
    4. Click Edit, check the propagate checkbox and Save to add the IP address range of your GCP VPC network as the destination range.
  3. In the AWS VPC console, create the VPN:
    1. Under VPN Connections, select Site-to-site VPN Connections.
    2. Select Create VPN Connection.
    3. Enter a name for the VPN connection.
    4. For Virtual Private Gateway, select the private gateway that you created or selected earlier in this procedure.
    5. For Customer Gateway, select the customer gateway that you created earlier in this procedure.
    6. For Routing Options, select Static, and specify the static IP address you reserved for the Cloud VPN as a CIDR (add /32).
    7. Download the configuration to save the settings.
      1. Save the file as Default.
      2. Find the sections IP Sec Tunnels #1 and #2.
      3. Note the IKE version and Pre-Shared Key for each tunnel.
      4. Note the IP address for the Virtual Private Gateway for each tunnel.
      5. Note the IP address for the Static Route Configuration option for each tunnel.
  4. In Google Cloud, create a Classic VPN using static routing.
    1. In Google Cloud Console > Hybrid Connectivity > VPN:
    2. Click Create VPN connection.
      1. Select your VPC network and region.
      2. For the Cloud VPN, use the static IP address you reserved earlier in this procedure.
      3. Use a Pre-shared key and key type from the AWS configuration you downloaded earlier in this procedure.
      4. Select the Route based routing option and add two tunnels; for each tunnel's Remote network IP range field, use an IP address for the Static Route Configuration option from the IP Sec Tunnel sections of the AWS configuration file you downloaded earlier in this procedure.
      5. Click Create.Remote network IP range
  1. In the AWS RDS console:
    1. Select a security group.
    2. Add inbound firewall rules to allow all protocols and ports from the Cloud VPN.

The VPN tunnels should begin communicating shortly. On the AWS side, in the VPC Dashboard, the tunnel statuses are UP. On the GCP side, view the traffic between the VPNs in the Cloud Logging console in the Cloud VPN gateway project.

Example 2: AWS with Google Cloud HA VPN with dynamic routes

To get VPC Peering with an HA VPN (dynamic routes) to AWS, you need to export BGP routes to the Cloud SQL peered VPC, and create a custom advertised route in Cloud Router for the Cloud SQL peered VPC imported route. At that point, Cloud Router is advertising AWS routes to the Cloud SQL VPC and the other way around. The firewall rules on both sides also need to match the Cloud SQL peering route CIDR.

On the AWS side, you can follow the first three steps in Example 1, except select Dynamic instead of Static under Routing options.

  1. Select your Cloud SQL VPC Peering configuration in the Console and note the Destination IP ranges under IMPORTED ROUTES. For more information, see Importing and exporting custom routes.
  2. Edit this VPC peering and check Import Custom Routes and Export Custom Routes in the VPC Peering connection details, and click SAVE.

    The peering now receives dynamic routes from your VPC like the routes coming from BGP peers. This allows traffic from the VPN to the peered network. However, Cloud Router is not yet advertising this route to other networks. To do so, you need to add custom advertised routes in the Cloud Router so that your VPC advertises the imported routes to other networks. For more information, see Importing and exporting custom routes.

  3. Add your DESTINATION_IP_RANGE custom IP range as a custom route in the Cloud Router configuration advertised routes. BGP peered networks are now receiving advertisements of the imported Cloud SQL network routes, DESTINATION_IP_RANGE. Traffic on those VPN-connected networks bound for the Cloud SQL peered VPC are now routed through the VPN tunnel.
  4. Allow routes to propagate in AWS route tables. Make sure AWS route tables for the subnets that contain your source database contain an entry for the DESTINATION_IP_RANGE range that routes to the VPN Virtual Private Gateway.
  5. Add a security group firewall inbound rule to allow traffic for DESTINATION_IP_RANGE TCP port 5432. Connectivity can now be established.