I’ve already provided some solutions to connect to your MDS instance, using MySQL Router, SSH tunnel, … but one of the best way if you have multiple instance to manage, is to use a VPN.
This post summarize the steps on how to deploy Open VPN and configure your VCN to use it.
So, in OCI, we have already some MDS & Compute instances deployed, this is how the dashboard looks like:
OpenVPN Deployment
We can start by deploying our OpenVPN instance using OCI’s Marketplace:
And you follow the wizard by adding your administrator username and password:
An important step is to use the existing VCN and place the OpenVPN in the public subnet:
And you create the instance:
After clicking the “Create” button, Terraform will enter in action and when everything will be deployed, at the end of the log, you will find the url you must use to configure your OpenVPN and create the vpn users:
Paste the url in your browser and accept the risk of using a self-signed certificate:
OpenVPN Configuration
Then log in with your admin credentials and select the “VPN Settings”:
And in routing, change from NAT to Routing and add the two subnets used in the VCN:
It’s time to create a VPN user and configure again the routing (no idea why it’s needed to do it twice):
And don’t forget to update the server:
VCN modification
We also need to ensure that the servers in our VCN (private and public subnets), can find their route to the OpenVPN client.
We do this by adding new routes, the destination is 172.27.232.0/22:
Connecting to VPN
It’s time to connect your machine (laptop, desktop) to your VPN, the first thing is the download the configuration by connecting to the web interface (same url with /admin):
OpenVPN on Fedora
Just for info, this is how I add the VPN to Network Manager on Fedora:
$ nmcli connection import type openvpn file client.ovpn
And you add the credentials on it and rename it:
Now you can enable the VPN from the network settings:
Connection to MDS
And now that your are connected, you can use MySQL Shell to connect to your MDS instance’s private IP:
Conclusion
This is the more secure and easy way to connect to all your services deployed in OCI and particularly a MySQL Database Service instance that will never get a public IP assigned to it.
You can connect with MySQL Classic client, MySQL Shell, Workbench and any other tool that needs to connect to MySQL with the Classic or X protocol.
[…] For simplicity, in this blog post the MySQL instance is on OCI. However this architecture is also relevant with the DB out of OCI. In that case you will need a VPN (e.g. Using OpenVPN with MySQL Database Service). […]