Updated on 2023-11-30 GMT+08:00

Accessing Huawei Cloud over a VPN

Figure 1 shows how to use DRS to migrate data from on-premises databases to Huawei Cloud databases using a VPN.

Figure 1 Network diagram

To access a database in the local data center using a VPN, purchase the VPN service on Huawei Cloud and configure the VPN to connect to the VPC that contains the DRS instance. In addition, you need to configure the VPN device on the firewall or host in the local data center. Figure 2 shows the operation process.

Figure 2 Flowchart

Network Configurations

  1. Create a DRS instance and obtain the subnet and private IP address of the DRS instance.

    By default, the DRS instance is in the same subnet as the destination database.

    Figure 3 Replication instance information

    After the DRS replication instance is created, the private IP address of the DRS replication instance is displayed.

    Figure 4 Private IP address of the DRS instance

  2. Query the name of the VPC to which the DRS instance belongs.

    By default, the DRS replication instance and the destination RDS instance are created in the same VPC. You can log in to the destination RDS instance to view information about the VPC where the replication instance is located.

    Figure 5 Destination database information

  3. Purchase a VPN and configure the VPN gateway and connection.

    For details, see Getting Started with Virtual Private Network.

    When you create a VPN gateway, configure the VPC by referring to the VPC information obtained in 2. When you create a VPN connection, configure the subnet associated with the replication instance by referring to the subnet information obtained in 1.

  4. Configure the VPN device in the local data center.

    The configuration method of the VPN device depends on the type of the firewall or host in the local data center. For details, see Configuring the Remote Device.

  5. Configure the IP address whitelist for the on-premises database.

    Add the private IP address of the DRS instance to the whitelist of the on-premises database to allow access from the DRS instance.

    The method for configuring the whitelist depends on the database type. For details, see the official documents of each database.

  6. Configure a security group and an access control list (ACL).

    By default, a VPC does not have a network ACL, and the default security group rules allow all outbound traffic. The replication instance and destination RDS instance in the same security group can communicate with each other by default, so you do not need to configure a network ACL.

    If you have configured a network ACL or security group, log in to the VPC management console and check the settings:

    Security group: Ensure that the outbound traffic from the DRS private network IP address to the IP address and listening port of the on-premises database is allowed.

    Network ACL: Ensure that the outbound traffic from the DRS private network IP address and random port to the IP address and listening port of the on-premises database is allowed.

  7. Test the connection.

    Log in to the DRS console, locate the created DRS task, and click Edit in the Operation column. On the Configure Source and Destination Databases page, enter the IP address, port, username, and password of the on-premises database and then click Test Connection to check whether the connection is successful.