Enable external connections

By default, a database cluster only allows connections from within the user cluster and the same project. To allow external connections from IP addresses outside of your Google Distributed Cloud air-gapped organization:

Console

  1. Sign in to the GDC console with an account bound to the project-networkpolicy-admin role to create firewall rules.
  2. From the main menu of the GDC console, choose Firewall.
  3. In the User created rules section, click Create.
  4. In Firewall rule details, create a name for your firewall rule.
  5. In the Direction of traffic dialog, choose INGRESS.
  6. In the Target dialog, choose Service and then select dbs.
  7. In the From dialog, choose Outside the organization and input the CIDR range from which you would like to allow external connectivity.
  8. Click Create.
  9. Wait for the Status column of the new rule to show Ready.
  10. Sign in to the GDC console with an account bound to the project-db-admin
  11. From the main menu of the GDC console, choose Database Service.
  12. Select the database cluster that you want to enable external connections to.
  13. Check the Allow external connections line of the Connectivity section of the Database cluster overview to see whether external connections are already allowed.
  14. In the Connectivity section of the Database cluster overview, click edit Edit.
  15. Select the Allow external connections checkbox.
  16. Click SAVE.

API

  1. Create a ProjectNetworkPolicy resource to allow external connections:

    apiVersion: networking.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
  name: allow-external-dbs
  namespace: USER_PROJECT
spec:
  ingress:
  - from:
   - ipBlock:
     cidr: CIDR_RANGE
  policyType: Ingress
  subject:
    managedServices:
      matchTypes:
      - dbs
    subjectType: ManagedService
 ```

  2. Update the database cluster to enable connections external to the organization:

    kubectl patch dbcluster.DBENGINE_NAME.dbadmin.gdc.goog DBCLUSTER_NAME -p '{"spec":{"allowExternalIncomingTraffic":true}}' --type=merge -n USER_PROJECT

Replace the following:

  • USER_PROJECT: the name of the user project where the database cluster was created.
  • CIDR_RANGE: the CIDR range from which you would like to allow external connectivity.
  • DBENGINE_NAME: the name of the database engine. This is one of alloydbomni, postgresql or oracle.
  • DBCLUSTER_NAME: the name of the database cluster.