You can migrate your data over private networks by establishing connectivity between your source and destination databases private IP addresses. You can use one of the two approaches To configure private IP addresses for your destination database, you can use private services access with VPC peering, or Private Service Connect.
Each connection method offers distinct advantages and trade-offs. Make sure you choose the approach that best fits your scenario. For more information about private services access and Private Service Connect in Cloud SQL, see Private IP overview in the Cloud SQL documentation.
Configure connectivity using VPC peeringVPC peering works by configuring the VPCs to communicate with one another. If your source is in the same Google Cloud project in Cloud SQL or Compute Engine, then this allows the destination to communicate with the source directly. If your source is within a VPN (in AWS, for example, or your own on-premises VPN), then configure the source VPN and Google Cloud VPN to work with each other. For more information, see
connecting VPCs through VPNs.
VPC chaining isn't supported. If your source is in a different Google Cloud project, then see Shared VPC overview to learn how to connect resources from multiple projects to a common VPC network for VPC peering.
The source database server's firewall must be configured to allow the entire internal IP range allocated for the private service connection of the VPC network that the Cloud SQL destination instance is going to use.
To find the internal IP range in the console:
Go to the VPC networks page in the Google Cloud console.
Select the VPC network that you want to use.
Select Private services access > Allocated IP ranges for services.
Find the Internal IP range associated with the connection created by servicenetworking-googleapis-com.
Make sure the replication connections section of the
pg_hba.conf
file or the security groups definitions in AWS RDS on the source database are updated to accept connections from the Cloud SQL VPC's IP address range.
Note: To use Virtual Private Cloud networking, you must enable the Service Networking API for your Google Cloud project.VPC peering uses private services access, which must be configured once for each project using VPC peering. After you have established private services access, test your migration job to verify connectivity.
If you are using private IP for any of your Database Migration Service instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Database Migration Service instance.
Important: When you create a private connection between your VPC network and the Database Migration Service service, it becomes available for use by any Google service that supports private services access. If you later delete the private connection, you remove private connectivity to your Database Migration Service instances and any other service that is using that connection. Removing the private connection does not delete or deprovision any resources.Establishing private services access requires the compute.networkAdmin IAM role. After private services access is established for your network, you no longer need the compute.networkAdmin IAM role to configure an instance to use private IP.
Private services access requires you to first allocate an internal IP address range, then create a private connection, and then export a custom route.
An allocated range is a reserved CIDR block that can't otherwise be used in your local VPC network. When you create a private connection, you specify an allocation. The private connection links your VPC network with the underlying ("service producer") VPC network.
When you create a private connection, the VPC network and service producer network exchange subnet routes only. You must export the VPC network's custom routes so that the service provider's network can import them and correctly route traffic to your on-premises network.
A peering configuration establishes the intent to connect to another VPC network. Your network and the other network are not connected until each one has a peering configuration for the other. After the other network has a corresponding configuration to peer with your network, the peering state changes to ACTIVE in both networks, and they are connected. If there's no matching peering configuration in the other network, the peering state remains INACTIVE, indicating that your network is not connected to the other one.
Once connected, the two networks always exchange subnet routes. You can optionally import both static and dynamic custom routes from a peered network if it has been configured to export them
Note: Because a private connection is implemented as a VPC Network Peering connection, the behaviors and constraints of peering connections also apply to private connections, such as VPC Network Peering limits.There are two parts to the private services access configuration process:
For the Name of the allocated range, specify google-managed-services-VPC_NETWORK_NAME, where VPC_NETWORK_NAME is the name of the VPC network you are connecting (for example, google-managed-services-default). The Description is optional.
Click ALLOCATE to create the allocated range.
Do one of the following:
To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.
gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
--global \
--purpose=VPC_PEERING \
--addresses=192.168.0.0 \
--prefix-length=16 \
--network=[VPC_NETWORK_NAME]
To specify a prefix length (subnet mask) only, just use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.
gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
--global \
--purpose=VPC_PEERING \
--prefix-length=16 \
--network=[VPC_NETWORK_NAME]
Replace [VPC_NETWORK_NAME] with the name of your VPC network, such as my-vpc-network.
The following example allocates an IP range that allows resources in the VPC network my-vpc-network to connect to Database Migration Service instances using private IP.
gcloud compute addresses create google-managed-services-my-vpc-network \
--global \
--purpose=VPC_PEERING \
--prefix-length=16 \
--network=my-vpc-network \
--project=my-project
Creating a private connection Console
Create a private connection.
gcloud services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--ranges=google-managed-services-[VPC_NETWORK_NAME] \
--network=[VPC_NETWORK_NAME] \
--project=[PROJECT_ID]
Replace [VPC_NETWORK_NAME] with the name of your VPC network and [PROJECT_ID] with the ID of the project that contains your VPC network.
The command initiates a long-running operation, returning an operation name.
Check whether the operation was successful.
gcloud services vpc-peerings operations describe \
--name=[OPERATION_NAME]
Replace [OPERATION_NAME] with the operation name that was returned from the previous step.
You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all the provided ranges in the order that you specified.
Connections to a Cloud SQL instance using a private IP address are automatically authorized for RFC 1918 address ranges. Non-RFC 1918 address ranges must be configured in Cloud SQL as authorized networks. You also need to update the network peering to Cloud SQL to export any Non-RFC 1918 routes. For example:gcloud compute networks peerings update cloudsql-postgres-googleapis-com --network=NETWORK --export-subnet-routes-with-public-ip --project=PROJECT Exporting custom routes
Update an existing VPC Network Peering connection to change whether your VPC network exports or imports custom routes to or from the peer VPC network.
Your network imports custom routes only if the peer network is also exporting custom routes, and the peer network receives custom routes only if it imports them.
ConsoleUpdate the peering connection to change your import or export settings for custom routes.
gcloud compute networks peerings update [PEERING-NAME] \
--network=[MY-LOCAL-NETWORK] \
[--[no-]import-custom-routes] \
[--[no-]export-custom-routes]
Granting the roles/servicenetworking.serviceAgent role
gcloud beta services identity create \
--service=servicenetworking.googleapis.com \
--project=project-id
gcloud projects add-iam-policy-binding project-id \
--member="service-account-prefix@service-networking.iam.gserviceaccount.com" \
--role="roles/servicenetworking.serviceAgent"
For homogeneous migrations, Cloud SQL can use Private Service Connect interfaces to establish a connection over private networks. This connectivity method is only available when you migrate to an existing instance.
To use Private Service Connect interfaces, do the following:
Create a Cloud SQL instance enabled for Private Service Connect. See Create a Private Service Connect endpoint in the Cloud SQL documentation.
Configure Private Service Connect for outbound connectivity on your instance. See Configure outbound connectivity in the Cloud SQL documentation.
Make sure that the VPC network where you create the network attachment is the network where you can reach the private IP address of your source database.
At a later stage, when you create the migration job, select PSC interface for your connectivity method.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4