Configure connectivity using a TCP proxy through a cloud-hosted VM

MySQL | PostgreSQL | PostgreSQL to AlloyDB

Overview

In certain migration scenarios it might not be possible to establish direct connectivity between the source and the destination databases. In such cases we recommend using a TCP proxy VM for routing traffic. You can set up a TCP proxy VM with an automated script generated by Database Migration Service.

An architecture diagram for a private database connection that uses the TCP proxy VM.

Figure 1. Connectivity example: TCP proxy used for routing traffic when migrating from a Cloud SQL instance in the old producer network architecture (click to enlarge)

When you create a migration job, Database Migration Service collects the required information and generates a script that sets up the proxy VM. This script runs several Google Cloud CLI commands that perform the following:

Creates and configures a Compute Engine instance in the same project and VPC as the destination database.

This VM runs a transparent TCP proxy that by default has private and public IPs. The proxy starts serving incoming connections immediately after booting.
Creates a firewall rule to allow connections from the AlloyDB for PostgreSQL destination database to the proxy.

Set up the TCP proxy VM

In the Google Cloud console, when you set up connectivity between the source and destination, perform the following steps:

From the Connectivity method drop-down menu, select Proxy via cloud-hosted VM - TCP.
Specify the following configuration parameters of the Compute Engine instance that will serve as the bastion host:
- Compute Engine VM instance name: The name for the Compute Engine instance.
- Machine type: The Compute Engine machine type, for example n1-standard-n1.
- Subnetwork: The subnet of the destination VPC.
Note: The Compute Engine VM instance created by the script isn't managed by Database Migration Service. Your organization is charged for the instance based on standard pricing, and is responsible for its management, including deleting the instance when it's no longer needed.
Click View script to view the generated script.
By default, the script generates a public IP address for the Compute Engine VM server. If your organization doesn't permit creating a proxy with a public IP address, or you have security concerns, then perform the following steps to disable the option to generate the address:
1. Enable Private Google Access on the subnet used for the proxy. This is required to allow the Compute Engine instance to download the necessary Docker images from the Google Cloud repository.
2. Append the no-address key to the --network-interface argument of the gcloud compute instances create-with-container command in the script:
  gcloud compute instances create-with-container ... --network-interface subnet=SUBNET-NAME,no-address
Run the script on a machine that has access to the Google Cloud project of the destination database.
Make sure that the following settings are updated to accept connections from the outgoing IP address of the TCP proxy:
- The replication connections section of the pg_hba.conf file (for a self-managed source instance).
- The security group definitions (for an Amazon RDS/Aurora source instance).
Click Configure & continue.
If your source is within a VPN (in AWS, for example, or your own on-premises VPN), see Configure connectivity using VPNs for more information about configuring the source VPN and Google Cloud VPN to work with each other.
Test and create your migration job.

Configure connectivity using a TCP proxy through a cloud-hosted VM Stay organized with collections Save and categorize content based on your preferences.

Overview

Set up the TCP proxy VM

Configure connectivity using a TCP proxy through a cloud-hosted VM