Tunneling Anypoint Platform and GCP
Introduction
The aim of the article is to describe how to create a tunnel between the Anypoint platform and GCP to access a MySQL instance running in GCP. The article describes the architectural stuff and if you are looking for more dev stuff you can skip it with zero loss.
A Brief
I will try to deep dive into this article since the creation of a MySQL instance in GCP. So, if you are familiar with GCP you can easily skip this part. The article will be divided into the following sections:
VPC Configuration in GCP
MySQL Configuration in GCP
VPN Configuration in GCP
VPN Configuration in GCP. Continue …
Testing the tunnel
VPC Configuration in GCP
We will define a clean network in GCP to work without using the Google-provided default network.
VPC Creation
Let's create a VPC with CIDR 10.100.0.0/24 as shown below. You can use this link to check the IP range created by the CIDR.
Private Service Connection
Check the below documentation.
Private services access connections:
Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
Are between your VPC network and network owned by Google using a VPC peering, enabling your instances and services to communicate exclusively by using internal IP addresses.
Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
Now, let's try to understand it in a better way.
So, it means that to launch an MySQL instance privately, we need to configure another VPC network in which Google managed services can spawn up.
So, in my case, my actual VPC is 10.100.0.0/24. But as anything (e.g VM) inside my VPC needs access to a private MySQL I will have to allocate another CIDR (10.200.0.0/24) for the second VPC. Luckily, GCP does all these peerings automatically and we don't need to put our hands dirty. Otherwise, I would say it's a nasty thing :)
Here is how you do it.
Click ALLOCATED IP RANGES FOR SERVICES and then click ALLOCATE IP RANGE and the following window will pop up.
Check the CIDR. Now, click the PRIVATE CONNECTIONS TO SERVICES as shown in the previous figure. You will be presented with a form as shown below. Here we are finally creating the connection using the CIDR provided in the previous step.
After creating the private connection, you must enable it.
MySQL Configuration in GCP
Once we have our VPC configured it's easy to launch MySQL.
Create MySQL Instance
I will only explain the important points while creating the MySQL instance.
I am creating a MySQL instance in the same region where I have defined my VPC i.e mule-vpc. In the Connections section let's select our VPC as shown below.
All set and now hit the Create Instance button. After a while, your MySQL instance will be ready. Now there is wtf moment when you check the Private IP of the MySQL instance.
The IP of the instance is 10.200.0.3 however the CIDR of our VPC is 10.100.0.0/24.
Our configuration of the VPC.
Here is the answer. Remember that MySQL is a Google-managed service and we allocated 10.200.0.0/24 CIDR for the VPC where Google will launch the services for us?
That's how the Private ID of our MySQL instance became 10.200.0.3
Cool! Next, let's configure a VPN in GCP.
VPN Configuration in GCP
There 2 options for VPN creation in GCP.
We will go with the first option.
Create an HA VPN
Note that I am creating a VPN forthe VPC I have created i.e mule-vpc.
Just hit the CREATE & CONTINUE and just return to the original menu w/o doing anything.
Now, finally, we are arriving at some fun points. You can see that 2 public IPs are created for the VPN i.e 34.124.20.226 & 34.104.81.39. Either of them is the IP address of our GCP VPN and it will be configured in Anypoint.
The PEER VPN GATEWAYS is where we will configure the public IP of our Anypoint VPN.
At this moment, we will have to switch to the Anypoint platform.
VPN Configuration in Anypoint
I will not deep dive into this. However, there is a great article on it and you can check it. So, no more secrets in VPN configuration in the Anypoint platform. I have just specified 34.124.20.226 as the Remote IP address.
After a few minutes, Anypoint (AWS) will provide us with the Tunnel details.
VPN Configuration in GCP. Continue …
Configure Peer VPN Gateways
For the sake of brevity, I will only configure one tunnel. Before, let's map the IPs with GCP.
In GCP, let's configure our peer VPN i.e Anypoint VPN. It's very simple.
Now, we will make a Tunnel between CLOUD VPN GATEWAYS i.e GCP, and PEER VPN GATEWAYS i.e Anypoint. So, click the CLOUD VPN TUNNELS button and you will be presented with a new form with a few more data.
Router Configuration
Before creating the tunnel, let's configure a router. This is the tricky part.
The Google ASN can be found in Anypoint VPN. Check below.
Now, what IPs our Router should map to?
Remember that our intention is to connect to a MySQL instance. Now, do you remember in which CIDR range the MySQL instance got launched?
Yes. It was launched on 10.200.0.0/24. It means that with the above configuration our router will route traffic to the above CIDR. Cool, right?
Tunnel Configuration
Create a tunnel and define for which GCP VPN you need the tunnel and then continue.
Now comes some cool stuff. Check below.
Check that for the peer VPN we have chosen our Anypoint VPN that we had declared. Great!!
Just after that select the router (created in the previous step) for our tunnel.
Validate the IP information as shown below:
Now you need to fill the PSK as shown below.
Then finally click the CREATE button. Now the final step.
BGP Session creation
Click CONFIGURE BGP SESSION of your tunnel.
It will pop another window where you will need to fill in the below details. For the sake of simplicity, I have mapped the values.
Then create the session. If everything goes well you will be happy to see the Green colors.
Also, you can check on Anypoint that the tunnel is now UP.
Also, when you click the VPC Routers tab in the Anypoint VPN you can see the routes advertised by our GCP router.
Is not it cool? That's the power of the BGP session. Now, any change you make in GCP will be reflected in your Anypoint platform.
Great. That's a lot of stuff.
Test the tunnel
When I created the VPN in the Anypoint platform, I created it for the below VPC.
So, technically any application launched in the below VPC will be able to connect to my MySQL instance in GCP.
Network Tool
To check the connectivity, I used the tool provided by MuleSoft. I have deployed the tool in the above VPC i.e 10.0.0.0/16. It's nothing but a Mule application.
Now, the private IP of my MySQL instance is 10.200.0.3. Let's cross our fingers and telnet it from Anypoint VPC.
Voila!!!!!!
I could successfully telnet the MySQL instance in GCP from the Anypoint platform.
Conclusion
Well, it's a pretty long article. I tried to cover every aspect of it since the GCP configuration. Hope it helps someone else. Below is the big picture.
