This page describes a configuration that replicates data from a source database server to Cloud SQL Second Generation replicas. This configuration is sometimes referred to as an external master configuration.
The source database server can be any MySQL server, including servers running on other GCP services (such as Compute Engine) or on other cloud providers (such as AWS RDS), provided they meet the requirements.
For step-by-step instructions for setting up this configuration, see Replicating from an External Server.
This configuration provides a way to achieve the following goals:
Migrate your data from your self-managed MySQL server to GCP with a minimum of downtime.
For the migration use case, the replication configuration is temporary. For more information, see Migrating data to Cloud SQL.
Retain colocation and control of your server while off-loading the administration of the replicas to Cloud SQL.
This use case is sometimes called a hybrid cloud. Replication between your self-managed server and the Cloud SQL replica continues indefinitely.
This configuration includes the following instances:
- The MySQL server that you manage, also called the source database server.
The Cloud SQL replica.
There can be multiple replicas for a single source database server.
The source representation instance.
The source representation instance is a Cloud SQL instance that represents the source database server to the Cloud SQL replica. It is visible in the GCP Console and appears the same as a regular Cloud SQL instance, but it contains no data, requires no configuration or maintenance, and does not affect billing. You cannot update the source representation instance.
The following diagram shows these instances:
Replicating from an external server requires that all changes to the data are sent between the source database server and the Cloud SQL replicas using public networks. For this reason, you should always use SSL/TLS for the connections between the source database server and the replicas.
You have two options for the SSL/TLS configuration:
When the replica connects to the master, the replica authenticates the master, ensuring that the replica is connecting to the correct host and preventing man-in-the-middle attacks. The master does not authenticate the replica.
When the replica connects to the master, the replica authenticates the master and the master authenticates the replica.
Generally, you should use server-client authentication, which provides the strongest security. However, if you do not want to provide the client certificate and private key when you create the replica, you can still use server-only authentication.
Preparing for server-only authentication
To use server-only authentication, you must provide (at replica creation time) the x509 PEM-encoded certificate of the certificate authority (CA) that signed the external server's certificate. The CA must contain only a single certificate, and it must be self signed. (In other words, the Certificate Authority that signed the server's certificate must be a root CA.)
For more information about creating certificates and keys for your external server, see Creating SSL and RSA Certificates and Keys using MySQL.
Preparing for server-client authentication
To use server-client authentication, you must provide the following items when you create the replica:
- The x509 PEM-encoded certificate of the CA that signed the source database
server's certificate (
- The x509 PEM-encoded certificate that will be used by the replica to
authenticate against the source database server (
- The unencrypted
PEM-encoded private key associated with the
For more information about creating certificates and keys for your source database server, see Creating SSL and RSA Certificates and Keys using MySQL.
About creating multiple replicas from the same source database server
You can create multiple replicas from the same source database server. You might want to provide more bandwidth, or create replicas in different regions.
If you are creating multiple replicas in the same region, they can all use the same source representation instance, or different ones. If you use the GCP Console to create multiple replicas, they will have different source representation instances.
If you are creating multiple replicas in different regions, they must have different source representation instances.
You cannot create more than one replica in the same operation. As soon as you finish creating the replica configuration for the first replica, you can start creating the replica configuration for the other replicas. You do not need to wait until the first replica is completely functional before starting to create other replicas. However, make sure you can complete the network access authorization step within 15 minutes for each replica you create.