Database Migration Service 使用 Private Service Connect 通过专用 IP 地址连接到目标 AlloyDB for PostgreSQL 集群。借助 Private Service Connect,您可以向传入的安全连接公开目标数据库,并控制哪些人可以访问该数据库。
Private Service Connect 的网络架构设置因您使用的是启用了 PSC 的目标 AlloyDB for PostgreSQL 集群还是未启用 PSC 的目标 AlloyDB for PostgreSQL 集群而异。
如需详细了解目标连接方法,请参阅 目标数据库连接方法概览。
适用于启用了 PSC 的 AlloyDB for PostgreSQL 集群的 Private Service Connect
如需使用专用连接与启用了 PSC 的 AlloyDB for PostgreSQL 目标搭配使用,请按以下步骤操作:
- 创建和配置目标集群时,请确保将其创建为具有专用 IP 地址的启用了 PSC 的集群。您无法修改现有的 AlloyDB for PostgreSQL 集群,使其支持 Private Service Connect。
- 在后续阶段,当您
创建目标连接配置文件时,请执行以下操作:
- 使用主机名或 IP 地址字段为目标集群选择 Private Service Connect 端点的 DNS 记录。
- 在定义连接方法部分中,选择专用 IP。
适用于未启用 PSC 的 AlloyDB for PostgreSQL 集群的 Private Service Connect
如需为未启用 Private Service Connect 而创建的 AlloyDB for PostgreSQL 目标使用专用 IP 连接,您需要创建其他网络组件,以便在 Database Migration Service 和目标之间路由流量。如需了解详情,请参阅 非 PSC AlloyDB for PostgreSQL 集群的专用 IP 目标连接。
如果一个堡垒虚拟机 (VM) 不足以满足您的网络需求,请为网络生产者设置配置一个实例组。如需了解详情,请参阅 托管服务中的网络连接。
如需创建所需的 Private Service Connect 生产者设置,我们建议您使用 Google Cloud CLI 或 Terraform 自动化脚本。在使用下面的任何命令数据之前,请先进行以下替换:
- PROJECT_ID 与您创建 Private Service Connect 提供方设置的项目。
- REGION,其中包含您创建 Private Service Connect 提供方设置时所在的区域。
- 将 ZONE 替换为 REGION 中用于创建所有可用区资源(例如堡垒虚拟机)的可用区。
- BASTION 替换为要创建的堡垒主机虚拟机。
- DB_SUBNETWORK 替换为要将流量转发到的子网。 子网需要有权访问 AlloyDB for PostgreSQL 集群。
- DB_SUBNETWORK_GATEWAY 使用子网的 IPv4 网关。
- PORT,其中包含堡垒将用于公开底层数据库的端口。
- ALLOYDB_INSTANCE_PRIVATE_IP,其中包含目标 AlloyDB for PostgreSQL 集群的专用 IP 地址。
gcloud
以下 Bash 脚本使用 Google Cloud CLI 为目标数据库创建 Private Service Connect 生产者设置。请注意,您可能需要调整某些默认设置;例如,Private Service Connect 子网 CIDR 范围。
#!/bin/bash
# Create the VPC network for the Database Migration Service Private Service Connect.
gcloud compute networks create dms-psc-vpc \
--project=PROJECT_ID \
--subnet-mode=custom
# Create a subnet for the Database Migration Service Private Service Connect.
gcloud compute networks subnets create dms-psc-REGION \
--project=PROJECT_ID \
--range=10.0.0.0/16 --network=dms-psc-vpc \
--region=REGION
# Create a router required for the bastion to be able to install external
# packages (for example, Dante SOCKS server):
gcloud compute routers create ex-router-REGION \
--network dms-psc-vpc \
--project=PROJECT_ID \
--region=REGION
gcloud compute routers nats create ex-nat-REGION \
--router=ex-router-REGION \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges \
--enable-logging \
--project=PROJECT_ID \
--region=REGION
# Create the bastion VM.
gcloud compute instances create BASTION \
--project=PROJECT_ID \
--zone=ZONE \
--image-family=debian-11 \
--image-project=debian-cloud \
--network-interface subnet=dms-psc-REGION,no-address \
--network-interface subnet=DB_SUBNETWORK,no-address \
--metadata=startup-script='#!/bin/bash
# Route the private IP address using the gateway of the database subnetwork.
# To find the gateway for the relevant subnetwork go to the VPC network page
# in the Google Cloud console. Click VPC networks and select the database VPC
# to see the details.
ip route add ALLOYDB_INSTANCE_PRIVATE_IP via DB_SUBNETWORK_GATEWAY
# Install Dante SOCKS server.
apt-get install -y dante-server
# Create the Dante configuration file.
touch /etc/danted.conf
# Create a proxy.log file.
touch proxy.log
# Add the following configuration for Dante:
cat > /etc/danted.conf << EOF
logoutput: /proxy.log
user.privileged: proxy
user.unprivileged: nobody
internal: 0.0.0.0 port = PORT
external: ens5
clientmethod: none
socksmethod: none
client pass {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error disconnect
}
client block {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error
}
socks pass {
from: 0.0.0.0/0
to: ALLOYDB_INSTANCE_PRIVATE_IP/32
protocol: tcp
log: connect error disconnect
}
socks block {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error
}
EOF
# Start the Dante server.
systemctl restart danted
tail -f proxy.log'
# Create the target instance from the created bastion VM.
gcloud compute target-instances create bastion-ti-REGION \
--instance=BASTION \
--project=PROJECT_ID \
--instance-zone=ZONE \
--network=dms-psc-vpc
# Create a forwarding rule for the backend service.
gcloud compute forwarding-rules create dms-psc-forwarder-REGION \
--project=PROJECT_ID \
--region=REGION \
--load-balancing-scheme=internal \
--network=dms-psc-vpc \
--subnet=dms-psc-REGION \
--ip-protocol=TCP \
--ports=all \
--target-instance=bastion-ti-REGION \
--target-instance-zone=ZONE
# Create a TCP NAT subnet.
gcloud compute networks subnets create dms-psc-nat-REGION-tcp \
--network=dms-psc-vpc \
--project=PROJECT_ID \
--region=REGION \
--range=10.1.0.0/16 \
--purpose=private-service-connect
# Create a service attachment.
gcloud compute service-attachments create dms-psc-svc-att-REGION \
--project=PROJECT_ID \
--region=REGION \
--producer-forwarding-rule=dms-psc-forwarder-REGION \
--connection-preference=ACCEPT_MANUAL \
--nat-subnets=dms-psc-nat-REGION-tcp
# Create a firewall rule allowing the Private Service Connect NAT subnet.
# access the Private Service Connect subnet
gcloud compute \
--project=PROJECT_ID firewall-rules create dms-allow-psc-tcp \
--direction=INGRESS \
--priority=1000 \
--network=dms-psc-vpc \
--action=ALLOW \
--rules=all \
--source-ranges=10.1.0.0/16 \
--enable-logging
# Print out the created service attachment.
gcloud compute service-attachments describe dms-psc-svc-att-REGION \
--project=PROJECT_ID \
--region=REGION
Terraform
您可以在 Terraform 模块中使用以下文件为目标数据库创建 Private Service Connect 生产者设置。请注意,您可能需要调整某些默认设置;例如,Private Service Connect 子网 CIDR 范围。
variables.tf:
variable "project_id" {
type = string
description = <<DESC
The Google Cloud project in which the setup is created. This should be the same project as
the one that the AlloyDB for PostgreSQL cluster belongs to.
DESC
}
variable "region" {
type = string
description = "The Google Cloud region in which you create the Private Service Connect
regional resources."
}
variable "zone" {
type = string
description = <<DESC
The Google Cloud zone in which you create the Private Service Connect zonal resources
(should be in the same region as the one specified in the "region" variable).
DESC
}
variable "primary_instance_private_ip" {
type = string
description = "The cluster's primary instance private IP"
}
variable "port" {
type = string
description = "The port that the bastion will use to expose the underlying database."
default = "5432"
}
variable "alloydb_cluster_network" {
type = string
description = <<DESC
The VPC to which the AlloyDB for PostgreSQL cluster is peered. This is where the bastion will
forward connections to (the destination database needs to be accessible in this VPC).
DESC
}
main.tf:
/* To execute the call:
terraform apply
-var="project_id=PROJECT_ID"
-var="region=REGION"
-var="zone=ZONE"
-var="primary_instance_private_ip=PRIMARY_INSTANCE_PRIVATE_IP"
-var="port=PORT"
-var="alloydb_cluster_network=ALLOYDB_CLUSTER_NETWORK" */
# Needed for getting the IPv4 gateway of the subnetwork for the database.
data "google_compute_subnetwork" "db_network_subnet" {
name = var.alloydb_cluster_network
project = var.project_id
region = var.region
}
resource "google_compute_network" "psc_sp_network" {
name = "dms-psc-network"
project = var.project_id
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "psc_sp_subnetwork" {
name = "dms-psc-subnet"
region = var.region
project = var.project_id
network = google_compute_network.psc_sp_network.id
# CIDR range can be lower.
ip_cidr_range = "10.0.0.0/16"
}
resource "google_compute_subnetwork" "psc_sp_nat" {
provider = google-beta
name = "dms-psc-nat"
region = var.region
project = var.project_id
network = google_compute_network.psc_sp_network.id
purpose = "PRIVATE_SERVICE_CONNECT"
# CIDR range can be lower.
ip_cidr_range = "10.1.0.0/16"
}
resource "google_compute_service_attachment" "psc_sp_service_attachment" {
provider = google-beta
name = "dms-psc-svc-att"
region = var.region
project = var.project_id
enable_proxy_protocol = false
connection_preference = "ACCEPT_MANUAL"
nat_subnets = [google_compute_subnetwork.psc_sp_nat.id]
target_service = google_compute_forwarding_rule.psc_sp_target_direct_rule.id
}
resource "google_compute_forwarding_rule" "psc_sp_target_direct_rule" {
name = "dms-psc-fr"
region = var.region
project = var.project_id
network = google_compute_network.psc_sp_network.id
subnetwork = google_compute_subnetwork.psc_sp_subnetwork.id
load_balancing_scheme = "INTERNAL"
ip_protocol = "TCP"
all_ports = true
target = google_compute_target_instance.psc_sp_target.id
}
resource "google_compute_target_instance" "psc_sp_target" {
provider = google-beta
name = "dms-psc-fr-target"
zone = var.zone
instance = google_compute_instance.psc_sp_bastion.id
network = google_compute_network.psc_sp_network.id
}
resource "google_compute_instance" "psc_sp_bastion" {
name = "dms-psc-alloydb-bastion"
project = var.project_id
machine_type = "e2-medium"
zone = var.zone
can_ip_forward = true
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
# The incoming NIC defines the default gateway which must be the Private Service Connect subnet.
network_interface {
network = google_compute_network.psc_sp_network.id
subnetwork = google_compute_subnetwork.psc_sp_subnetwork.id
}
# The outgoing NIC which is on the same network as the AlloyDB for PostgreSQL cluster.
network_interface {
network = data.google_compute_subnetwork.db_network_subnet.network
}
metadata_startup_script = <<SCRIPT
#!/bin/bash
# Route the private IP address of the database using the gateway of the database subnetwork.
# To find the gateway for the relevant subnetwork, go to the VPC network page
# in the Google Cloud console. Click VPC networks, and select the database VPC
# to see the details.
ip route add ${var.primary_instance_private_ip} \
via ${data.google_compute_subnetwork.db_network_subnet.gateway_address}
# Install Dante SOCKS server.
apt-get install -y dante-server
# Create the Dante configuration file.
touch /etc/danted.conf
# Create a proxy.log file.
touch proxy.log
# Add the following configuration for Dante:
cat > /etc/danted.conf << EOF
logoutput: /proxy.log
user.privileged: proxy
user.unprivileged: nobody
internal: 0.0.0.0 port = ${var.port}
external: ens5
clientmethod: none
socksmethod: none
client pass {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error disconnect
}
client block {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error
}
socks pass {
from: 0.0.0.0/0
to: ${var.primary_instance_private_ip}/32
protocol: tcp
log: connect error disconnect
}
socks block {
from: 0.0.0.0/0
to: 0.0.0.0/0
log: connect error
}
EOF
# Start the Dante server.
systemctl restart danted
tail -f proxy.log
SCRIPT
}
# Required firewall rules:
/* Firewall rule allowing the Private Service Connect NAT subnet to access
the Private Service Connect subnet. */
resource "google_compute_firewall" "psc_sp_in_fw" {
name = "dms-psc-ingress-nat-fw"
project = var.project_id
network = google_compute_network.psc_sp_network.id
log_config {
metadata = "INCLUDE_ALL_METADATA"
}
allow {
protocol = "all"
}
priority = 1000
direction = "INGRESS"
source_ranges = [google_compute_subnetwork.psc_sp_nat.ip_cidr_range]
}
/* The router that the bastion VM uses to install external packages
(for example, Dante SOCKS server). */
resource "google_compute_router" "psc_sp_ex_router" {
name = "dms-psc-external-router"
project = var.project_id
region = var.region
network = google_compute_network.psc_sp_network.id
}
resource "google_compute_router_nat" "psc_sp_ex_router_nat" {
name = "dms-psc-external-router-nat"
project = var.project_id
region = var.region
router = google_compute_router.psc_sp_ex_router.name
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
outputs.tf:
# The Private Service Connect service attachment.
output "service_attachment" {
value = google_compute_service_attachment.psc_sp_service_attachment.id
}
在后续阶段,当您 创建目标连接配置文件时,请执行以下操作:
- 在定义连接方法部分中,选择专用 IP。
- 从服务连接名称下拉菜单中,选择 dms-psc-svc-att-REGION。