Avenue Code Snippets

Create a Tunnel from Anypoint Platform to GCP Using an HA VPN

Written by Anupam Gogoi | 12/21/22 5:00 PM

Last week, we learned how to create a classic tunnel from GCP to Anypoint Platform. This week, we'll explain how to set up a tunnel between the Anypoint Platform and GCP so that Anypoint users can access a MySQL instance that is hosted by GCP.

Brief

In today's article, we'll cover the six points outlined below. If you're already familiar with GCP, you can skip parts one and two below and go straight to VPN Configuration in GCP. 

  1. VPC Configuration in GCP
  2. MySQL Configuration in GCP
  3. VPN Configuration in GCP
  4. VPN Configuration in Anypoint
  5. VPN Configuration in GCP, Continued
  6. Testing the Tunnel
1. VPC Configuration in GCP

In order to function without utilizing the default network provided by Google, we will define a clean network in GCP.

VPC Creation

Let's create a VPC with CIDR 10.100.0.0/24 as shown below. You can use this link to check the IP range created by the CIDR.

Private Service Connection

At this point, it's important to note that a private services access connection is private to your VPC network and can be used across all managed services (e.g. SQL, Memorystore, and Tensorflow).

Your connections should be between the Google-owned network and your VPC network via a VPC peering. This allows your services and instances to communicate solely via internal IP addresses.

Finally, the private service access connections make sure that you have an isolated project on the side of the service-producer, which means it is not shared by any other clients. You will only be charged for the resources you provision.

Now, let's try to understand this visually:

Private Connection

In order to run a MySQL instance privately, we must set up a second VPC network that allows Google-managed services to start up.

My actual VPC is 10.100.0.0/24 in this scenario. But because everything in my VPC—including VMs—needs access to a private MySQL database, I will need to set aside another CIDR (10.200.0.0/24) in my network for the second VPC. Thankfully, GCP handles all of these peerings automatically so we don't have to. Otherwise, I would describe it as unpleasant. :)

Here is how you do it:

Private Service Connection Configuration

To configure your private service connection, click ALLOCATED IP RANGES FOR SERVICES and then click ALLOCATE IP RANGE. The following window will pop up:

Check the CIDR. Now, click the PRIVATE CONNECTIONS TO SERVICES as shown in the previous figure. You will be presented with a form like the one shown below. Here we are finally creating the connection using the CIDR provided in the previous step.

Create Private Connection

After creating the private connection, you must enable it.

2. MySQL Configuration in GCP

Once our VPC is set up, launching MySQL is simple.

Create MySQL Instance

I will only go over the crucial details when setting up the MySQL instance. Start here:

In the same region where I have defined my VPC, mule-vpc, I am constructing a MySQL instance. Let's choose our VPC in the Connections area, as shown below:

Now you're ready: click the Create Instance button. Your MySQL instance will be prepared eventually. When you check the Private IP of the MySQL instance, you get a "strange" screen:

The IP of the instance is 10.200.0.3, but the CIDR of our VPC is 10.100.0.0/24.

So this is our configuration of the VPC:

Private Connection

Here's the answer to the riddle. Do you remember that MySQL is a Google-managed service and we allocated 10.200.0.0/24 CIDR for the VPC where Google will launch the services for us?

That's how the Private ID of our MySQL instance became 10.200.0.3

Cool! Next, let's configure a VPN in GCP.

3. VPN Configuration in GCP

There are two options for VPN creation in GCP:

In our last article, we explained how to create a Classic VPN. In this article, we will go with the first option: HA VPN.

Create an HA VPN

Please note that I am setting up a VPN for the VP (mule-vpc) that I created earlier:

Just hit CREATE & CONTINUE and return to the original menu without doing anything:

This is where it gets interesting! You can see that the VPN has been given two public IP addresses, namely 34.124.20.226 and 34.104.81.39. Our GCP VPN's IP address can be either of these, and we can choose which one we want to use when we set up Anypoint.

We will set up the Anypoint VPN's public IP on the PEER VPN GATEWAYS tab pictured above.

For our next step, we will need to switch to the Anypoint Platform. 

4. VPN Configuration in Anypoint

I won't delve too deeply into this stage since there are tons of articles on this topic available on the internet, but I'll cover the basics to show this stage in the context of our project. As shown below, I entered the remote IP address as 34.124.20.226:

After a few minutes, Anypoint (AWS) will provide us with the tunnel details:

5. VPN Configuration in GCP, Continued

Configure Peer VPN Gateways

For the sake of brevity, I will only configure one tunnel. But first, let's map the IPs with GCP:

In GCP, let's configure our peer VPN, i.e Anypoint VPN. It's very simple:

We will now create a tunnel between PEER VPN GATEWAYS, such as Anypoint, and CLOUD VPN GATEWAYS, such as GCP. To do so, click the CLOUD VPN TUNNELS button, and a new form with a few more details will appear.

Router Configuration

Before creating the tunnel, let's configure a router. This is the tricky part.

The Google ASN can be found in Anypoint VPN, as shown below:

Now, which IP address range should our router map to?

Remember that our intention is to connect to a MySQL instance. Now, do you remember in which CIDR range the MySQL instance was launched?

Yes. It started operating at 10.200.0.0/24. Thus, with the aforementioned settings, our router will direct traffic to the aforementioned CIDR. Nice, right?

Tunnel Configuration

Create a tunnel, define the GCP VPN you need the tunnel for, and then continue.

Now we're getting to some cool configurations. Check it out:

Verify that we selected the Anypoint VPN that we had declared for the peer VPN. It's looking great!

Right after this, select the router (which we created in the previous stage) for our tunnel.

Validate the IP information as follows:

Now you need to fill in the PSK as shown below:

Finally, click the CREATE button. And now we're on to the final step.

BGP Session Creation

Click CONFIGURE BGP SESSION for your tunnel.

You will need to enter the information below in a new window that will appear. I have mapped the values for ease of use.

Then create the session. If everything goes well, you will be happy to see these green checkmarks:

Also, you can check on Anypoint that the tunnel is now UP.

Note that when you click the VPC Routers tab in the Anypoint VPN, you can see the routes advertised by our GCP router.

Isn't that cool? That's the power of the BGP session. Now, any change you make in GCP will be reflected in your Anypoint Platform.

We just covered quite a lot of configuration information, but before we conclude, we need to test our work.

6. Test the Tunnel

I created the VPN for the VPC listed below when I made it in the Anypoint Platform.

So technically, any application launched in the VPC below will be able to connect to my MySQL instance in GCP.

Network Tool

To check the connectivity, I'm using the tool provided by MuleSoft. I have deployed the tool in the above VPC, i.e. 10.0.0.0/16. It's nothing but a Mule application.

Now, the private IP of my MySQL instance is 10.200.0.3. Let's cross our fingers and telnet it from Anypoint VPC.

Voila!!!!!!

I was able to successfully telnet the MySQL instance in GCP from the Anypoint Platform.

Conclusion

In this very comprehensive article, I tried to cover every aspect of creating a tunnel from Anypoint Platform to GCP using a high availability VPN. The big picture of what we accomplished is shown below:


I hope you found this article useful!