Help Center> Data Replication Service> Preparations> From ECS Databases to Huawei Cloud> Accessing Huawei Cloud Through a VPN (Different Regions)
Updated on 2022-09-21 GMT+08:00

Accessing Huawei Cloud Through a VPN (Different Regions)

Figure 1 shows how to use DRS to migrate data from an ECS database to a Huawei Cloud database in different regions over a VPN network on Huawei Cloud.

Figure 1 Network diagram

You can use an ECS database as the source. If the source and destination databases are in different regions and DRS uses a VPN, purchase the VPN service on Huawei Cloud Region-B, configure the VPC and subnet associated with the DRS replication instance, and purchase the VPN service on Region-A and configure the VPN peer device. In addition, configure the inbound rules for the network ACL and security group associated with the source database in Region-A to allow traffic from the EIP of the DRS migration instance, add the private IP address of the DRS replication instance to the source database whitelist, and ensure the outbound traffic from the network ACL and security group associated with the DRS replication instance in Region-B is allowed. Figure 2 shows the operation process.

Figure 2 Flow chart

Network Configurations

  1. Create a DRS instance and obtain the subnet and private IP address of the DRS instance.

    By default, the subnet associated with the DRS instance is the same as that of the destination database.

    Figure 3 Replication instance information

    After the DRS replication instance is created, the private IP address of the replication instance is displayed.

    Figure 4 Private IP address of the DRS instance

  2. Query the name of the VPC to which the DRS instance belongs.

    By default, the DRS replication instance and the destination RDS database are created in the same VPC. You can log in to the destination RDS instance to view information about the VPC where the replication instance is located.

    Figure 5 Destination database information

  3. Purchase a VPN in the target region and configure the VPN gateway and connection.

    For details, see Getting Started with Virtual Private Network.

    When you create a VPN gateway, configure the VPC by referring to the VPC information obtained in 2. When you create a VPN connection, configure the subnet associated with the replication instance by referring to the subnet information obtained in 1.

  4. Purchase a VPN in the source region and configure the VPN peer device.

    For details, see "Configuring the Remote Device" in Getting Started with Virtual Private Network.

  5. Configure the network ACL associated with the security group and subnet of the source database.

    Security group: Add an inbound rule to allow traffic from the private IP address of the DRS replication instance to the database listening port.

    Network ACL: By default, a VPC does not have a network ACL. If you have a network ACL, add an inbound rule to allow traffic from the private IP address and random port of the DRS replication instance to the IP address and listening port of the source database.

  6. Configure the IP address whitelist for the source database.

    Add the private IP address of the DRS replication instance to the whitelist of the source database. The method for configuring the whitelist depends on the cloud database type. For details, see the official documents of the corresponding database.

  7. Configure the network ACL associated with the security group and subnet of the DRS replication instance.

    By default, a VPC does not have a network ACL, and the default security group rules allow all outbound traffic. The replication instance and destination RDS database in the same security group can communicate with each other by default, so you do not need to configure a network ACL.

    If you have configured a network ACL or security group, log in to the VPC management console and check the settings:

    Security group: Ensure that the outbound traffic from the security group associated with the replication instance to the IP address and listening port of the source database is allowed.

    Network ACL: Ensure that the outbound traffic from the VPC where the replication instance resides and the DRS random port to the IP address and listening port of the source database is allowed.

  8. Test the connection.

    Log in to the DRS console, locate the created DRS task, and click Edit in the Operation column. On the Configure Source and Destination Databases page, enter the IP address, port, username, and password of the source database and then click Test Connection to check whether the connection is successful.