Skip to content

Latest commit

 

History

History

4.PSC-Across-VPN

README.md

Introduction

Cloud SQL has a Private Service Connect based offering for connectivity where it exposes producer resources using a service attachment when a user creates a Cloud SQL instance accesed from on-premises customer network via HA VPN. Cloud SQL with enabled PSC connectivity expects the user to create an endpoint to connect to the corresponding service attachment.

This solution automates the process of creation of Private Service Connect endpoint for the user. You can read more about Private Service Connect for SQL. Here the customer's user project is accessing managed producer services using a private IP address (Service Connect Endpoint in customer's consumer project) via HA VPN (from customer's user project's VM). The customer's producer project is exposing services to a consumer project via service attachments without exposing the SQL instances to the public Internet. Customer's user and consumer projects are connected using a hybrid networking solution - Cloud HA VPN.

Here is a brief overview of the resources being created by the terraform solution :

  1. VPC Networks and Subnets in customer's consumer and user projects
  2. Configures an HA VPN connection between customer's consumer and user projects
  3. Cloud SQL instance in customer's producer project with PSC enabled (this Cloud SQL instance creates and comes with a Service attachment for PSC connection)
  4. PSC Endpoint in the customer's consumer project to access the Service Attachment with a forwarding rule to the Service Attachment URI
  5. VM instance in the customer's user project with Cloud NAT
  6. Firewall rules to allow only authorised instances to connect to Cloud SQL instance
  7. Service account used by the compute instance
  8. If required, enable services in consumer & producer projects

Note :

  • The terraform solution requires existing customer's user, consumer & producer projects:

User Project : this is a customer owned Google Cloud project from which the customer is trying to access the Cloud SQL instance or any other producer service. This could be on-prem or Google Cloud Platform.

Producer Project : this is a customer owned Google Cloud project in which a customer creates a Cloud SQL instance or any other producer service

Consumer Project : this is a customer owned Google Cloud project which is accessing the producer resources through a PSC Endpoint in its network

  • The region for the service attachment of the PSC enabled SQL instance and the service connect endpoint must be the same

Benefits

  1. Easily and securely connects your private on-prem network (user) to access Cloud SQL instance (producer)
  2. Removes the need to configure a VPC peering connection simplifying the management of complicated cloud network architectures
  3. Prevents your network traffic from being exposed to the public internet. Data remains secure on Google’s backbone network
  4. Reduces costs by avoiding public IP addresses
  5. Improves performance and reliability by using HA VPN

Use cases

  1. Connecting to Cloud SQL instances from on-premises networks
  2. Developing and testing applications that use Cloud SQL
  3. Running production applications that use Cloud SQL

Architecture

PSC-with-VPN Scenario

Components

  1. Customer Organisation : Customer's Organisation on Google Cloud. Customer has created & manages this Google Cloud organisation.
  2. Customer Organisation - User Project : Customer's project on-prem or on Google Cloud. Customer has created & manages this Google Cloud project. This is the project which contains the virtual machine/instance accessing the producer service such as Cloud SQL using the service connect endpoint.
  3. Customer Organisation - Consumer Project (12345) : Customer's project on Google Cloud. Customer has created & manages this Google Cloud project. This is the project which contains the service connect endpoint as a part of its network to access the producer services from producer projects created in Customer Organisation - Producer Project (56789).
  4. Customer Organisation - Cloud SQL (Producer) Project (56789) : Customer's project on Google Cloud. Customer has created & manages this Google Cloud project. This is the project in which customer creates a producer service such as Cloud SQL.
  5. User VPC - OnPrem/Google Cloud Platform : Customer's user project (Google Cloud Platform or on-prem) VPC which is used for connecting with Google Cloud Platform network using VPN.
  6. Consumer VPC : Customer's consumer project (Google Cloud Platform) VPC which is used for connecting with on-prem network using VPN and create a service connect endpoint to access the producer services.
  7. VPN - On Prem/Google Cloud Platform : On Prem VPN solution used by customer to connect to Google Cloud Platform.
  8. HA VPN - Google Cloud Platform : HA VPN Google Cloud Platform solution to provide high availability to customer's connection between the user and consumer projects.
  9. NAT : NAT in Customer's user project to connect customer's VM Instance to the internet to retrieve packages for DB connection/creation for the VM.
  10. Cloud SQL Instance : Cloud SQL instance created in customer's producer project which is created with PSC enabled.
  11. PSC Endpoint : Reserved internal IP address in a consumer VPC network with forwarding rule to target Service Attachment for Cloud SQL connection.
  12. Service Attachment : are resources can be accessed by using endpoints. A service attachment targets a producer load balancer and lets clients in a consumer VPC network access the load balancer.
  13. ILB Forwarding Rule : Forwarding rule to forward requests directed to service connect endpoint to the service attachment URI
  14. Cloud SQL VM : Physical manifestation of the Cloud SQL instance in customer's producer project
  15. VM : Customer's VM Instance in customer user project/on-premises which connects to the producer resources through consumer project
  16. Google-owned Organisation : Google Cloud owned organisation to manage the Cloud projects in which resources are created in consumer projects by customers
  17. Google Organisation - Producer Project (45678) : Google Cloud owned project to manage Cloud resources created in consumer projects by customers
  18. Cloud SQL Producer VPC : Google Cloud project's VPC
  19. Dotted Line : The dashed line in between divides a customer's organisation on Google cloud with customer created projects and Google's organisation with Google created projects
  20. Dot-Dashed Line : The dot-dashed line is a connection showing presence of a NAT in the customer's VPC for the VM instance to leverage in case of pulling relevant resources to access Cloud SQL
  21. Dashed Line : The dashed line is a connection in between Cloud SQL in customer's project as a producer service and the Cloud SQL running over a VM instance in a Google owned cloud project

Pre-requisite

  1. User must have terraform and gcloud installed in the machine from which they plan to execute the terraform templated scripts which are a part of this solution. Here is the link that describes the Terraform installation steps and gcloud CLI Installation Steps .

  2. Users should have the Google Cloud projects which will be used as part of this guide - consumer/host and producer/service and user/on-prem.

  3. Users planning to run this terraform solution should have following permissions at least assigned to them in the respective projects as described below. User can either use Google Cloud Platform console or gcloud cli to assign these permission to the user identity that will execute the solution/script.

    • Customer's Consumer Project
      • roles/compute.networkAdmin
      • roles/compute.securityAdmin
      • roles/iam.serviceAccountAdmin
      • roles/serviceusage.serviceUsageAdmin
      • roles/resourcemanager.projectIamAdmin
    • Customer's Producer Project
      • roles/cloudsql.admin
      • roles/iam.serviceAccountAdmin
      • roles/serviceusage.serviceUsageAdmin
      • roles/resourcemanager.projectIamAdmin
    • Customer's User Project
      • roles/compute.networkAdmin
      • roles/compute.securityAdmin
      • roles/compute.instanceAdmin
      • roles/iam.serviceAccountUser
      • roles/iam.serviceAccountAdmin
      • roles/serviceusage.serviceUsageAdmin
      • roles/resourcemanager.projectIamAdmin ` To assign these roles to the account :

a. Using Webconsole : User can either use Google Cloud Platform web console to assign the IAM permission to the user who plans to run this script.

b. Using gcloud cli : User can either use gcloud cli to assign IAM permission to the user who plans to run the script.

Execution

  1. Authenticate using gcloud command gcloud auth application-default login in the cli/machine that will execute the terraform solution. This link describes more detail about the gcloud auth command mentioned above.
  2. Change directory cd in to the example directory cloudsql-easy-networking/examples/4.PSC-Across-VPN in order to execute the terraform code.
  3. Update the variables in terraform.tfvars as per your configuration like host_project_id, service_project_id etc. User can also go through the Inputs section of this readme that describes the list of input variables that can be updated. Here are examples of the terraform.tfvars file which can be referred while updating your terraform.tfvars file.
  4. Run the command terraform init. This command initializes the working directory containing terraform configuration files. More description about terraform init.
  5. Run the command terraform validate to validate the configuration files present in this directory. More description about terraform validate.
  6. Run the command terraform plan. This command creates an execution plan, which lets you preview the changes that terraform plans to make in your infrastructure. More details about terraform plan command.Review the content displayed in the plan stage and if all looks good then move to next step.
  7. Run the terraform applyand type yes when asked for confirmation/approval. This command executes the actions proposed in a terraform plan. More details about terraform apply.
  8. Deleting resources : Enter terraform destroy and type yes when asked for confirmation/approval. This command will delete the resources created using the terraform. More details about terraform destroy.

Examples

Here's an example of the tfvars file that can be used to create the resources using Terraform for using PSC across VPN connection with another Google Cloud project or on-prem project. This examples creates a new VPC and subnetwork in user and consumer projects.


## Producer/Service Project tfvars

producer_project_id        = <<producer-project-ID>>
test_dbname                = "test_db"

## Consumer/Host Project tfvars

consumer_project_id        = <<consumer-project-ID>>
create_network             = true
create_subnetwork          = true
consumer_network_name      = "vpn-vpc-consumer"
consumer_subnetwork_name   = "vpn-subnet-consumer"
consumer_cidr              = "192.168.0.0/24"
endpoint_ip                = ["192.168.0.5"]
region                     = "us-central1"
zone                       = "us-central1-a"
router_name                = "cloudsqleasy-router"

## User/On-Prem Project tfvars

user_project_id            = <<user-project-ID>>
create_user_vpc_network    = true
create_user_vpc_subnetwork = true
user_network_name          = "vpn-vpc-user"
user_subnetwork_name       = "vpn-subnet-user"
user_cidr                  = "10.0.0.0/24"
nat_name                   = "cloudsqleasy-nat"
user_region                = "us-central1"
user_zone                  = "us-central1-a"

~~

Requirements

No requirements.

Providers

Name Version
google 4.84.0
template 2.2.0

Modules

Name Source Version
compute_address terraform-google-modules/address/google n/a
consumer_project ../../modules/services n/a
consumer_project_vpn ../../modules/net-vpn-ha n/a
consumer_vpc ../../modules/net-vpc n/a
firewall_rules ../../modules/firewall-rules n/a
producer_project ../../modules/services n/a
sql_db ../../modules/cloudsql n/a
terraform_service_accounts ../../modules/iam-service-account n/a
user_firewall_rules ../../modules/firewall-rules n/a
user_gce_sa ../../modules/iam-service-account n/a
user_nat ../../modules/net-cloudnat n/a
user_project ../../modules/services n/a
user_project_instance ../../modules/computeinstance n/a
user_project_vpn ../../modules/net-vpn-ha n/a
user_vpc ../../modules/net-vpc n/a

Resources

Name Type
google_compute_forwarding_rule.cloudsql_forwarding_rule resource
google_compute_network.consumer_vpc data source
google_compute_network.user_vpc data source
google_compute_subnetwork.consumer_vpc_subnetwork data source
google_compute_subnetwork.user_vpc_subnetwork data source
template_file.mysql_installer data source

Inputs

Name Description Type Default Required
cloudsql_instance_name Name of the cloud sql instance which will be created. string "cloudsql" no
consumer_cidr CIDR range of the consumer VPC Network string n/a yes
consumer_gateway_name Name of the consumer Gateway. string "gcp-vpc-gateway1" no
consumer_network_name Name of the Consumer VPC network to be created if var.create_network is marked as true or Name of the already existing network if var.create_network is false. string n/a yes
consumer_project_id Project ID of the Consumer GCP Project. string n/a yes
consumer_subnetwork_name Name of the Consumer sub network to be created if var.create_subnetwork is marked as true or Name of the already existing sub network if var.create_subnetwork is false. string n/a yes
create_mysql_db Flag to check if an mysql db needs to be created bool true no
create_nat Boolean variable to create the Cloud NAT for allowing the VM to connect to external Internet. bool true no
create_network Variable to determine if a new network should be created or not. bool true no
create_postgresql_db Bool value to create Postgres DB bool false no
create_subnetwork Variable to determine if a new sub network should be created or not. bool true no
create_user_vpc_network Variable to determine if a new network should be created or not. bool true no
create_user_vpc_subnetwork Variable to determine if a new sub network should be created or not. bool true no
database_version Database version of the mysql in Cloud SQL . string "MYSQL_8_0" no
deletion_protection Enable delete protection. bool true no
endpoint_ip Endpoint IP address to be reserved for PSC connection list(string) n/a yes
gce_tags List of tags to be applied to gce instance. list(string) 
[
  "cloudsql"
]
 no
load_balancing_scheme Load Balacing Scheme for the ILB/Forwarding Rule string "" no
nat_name Name of the NAT connection for the VM instance to communicate to the internet. string n/a yes
producer_project_id Project ID of the Producer GCP Project. string n/a yes
region Name of a GCP region. string n/a yes
router_name Name of the router for Cloud NAT. string n/a yes
source_image Source disk image. If neither source_image nor source_image_family is specified, defaults to the latest public image. string "" no
source_image_family Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public image. string "ubuntu-2204-lts" no
source_image_project Project where the source image comes from. The default project contains images. string "ubuntu-os-cloud" no
terraform-sa Service Account to be used by Terraform string "terraform-sa" no
test_dbname Name of the DB to be created inside the SQL instance string "test_db" no
user_cidr CIDR range of the user VPC Network string n/a yes
user_gateway_name Name of the user Gateway. string "gcp-vpc-gateway2" no
user_network_name Name of the User VPC network to be created if var.create_network is marked as true or Name of the already existing network if var.create_network is false. string n/a yes
user_project_id Project ID of the User GCP Project. string n/a yes
user_region Region for the user cloud entities string n/a yes
user_subnetwork_name Name of the User sub network to be created if var.create_subnetwork is marked as true or Name of the already existing sub network if var.create_subnetwork is false. string n/a yes
user_zone Zone for the user cloud entities string n/a yes
zone Name of a GCP zone, should be in the same region as specified in the region variable. string n/a yes

Outputs

Name Description
cloudsql_instance_name Name of the SQL instance created in the producer project.
cloudsql_instance_psc_attachment The psc_service_attachment_link created for the master instance
compute_instance_name Name of the compute instance created
consumer_network_id Network ID for the consumer VPC network created in the consumer project.
consumer_network_name Name of the consumer VPC
consumer_subnetwork_id Sub Network ID created inside the consumer VPC network created in the consumer project.
reserved_ip IP Address reserved as service endpoint