Networking Setup

Create a virtual cloud network (VCN), add ingress rules, and then create either a compute instance, a Bastion session, or a VPN connection to connect to a MySQL DB system. To connect to a DB system with a public IP address, use a network load balancer.

Networking Setup Overview

MySQL DB system endpoints are not public. To connect to a DB system, create a virtual cloud network (VCN) and then create either a compute instance, a Bastion session, or a VPN connection.

Do the following to connect to a MySQL DB system:

  1. Create a virtual cloud network: If you do not have a VCN with a private or public regional subnet already present in your tenancy, create a VCN. See Creating a Virtual Cloud Network Using the Console.

    While creating a VCN, adhere to the following:

    • Security rules: To enable communication between your local network or a compute and your DB system, configure the subnets of your VCN subnets with security rules. These rules permit traffic from specific IP addresses and ports, or ranges of IP addresses and ports, between resources. See Network Security Rules.
    • IP address requirements: When you define your CIDR block, note the IP address requirements:
      • The Networking service reserves three IP addresses in each subnet.
      • A standalone MySQL DB system requires three IP addresses for the following: the DB system, the compute instance hosting the MySQL instance, and for maintenance and upgrade tasks on the MySQL instance.
      • A highly available MySQL DB system requires up to seven IP addresses for the following: the DB system, one per compute instance hosting the MySQL instance (three in total), and one per MySQL instance for maintenance and upgrade tasks (up to three in total).
  2. Do one of the following:
    • Create a compute instance: Use SSH or RDP, depending on your platform, to connect to the compute instance and, from there, to connect with your DB system. Compute instances that are attached to public subnets can use public IP addresses. See Creating a Compute Instance.
    • Create a Bastion session: A Bastion session enables SSH access from your local network to your DB system. See Bastion Session.
    • Create a VPN connection: A VPN connection bridges your local network with your Oracle Cloud Infrastructure VCN. Use site-to-site VPN, FastConnect, or OpenVPN Access Server to create a VPN connection. See VPN Connections.

Creating a Virtual Cloud Network Using the Console

Use the Console to create a virtual cloud network (VCN) that enables you to connect to a compute instance and interact with a DB system.

This task requires the following:
  • You do not have an existing VCN with a private and public regional subnet present in your tenancy.
Do the following to create a VCN:
  1. Open the navigation menu, select Networking, and then select Virtual Cloud Networks.
  2. In the Virtual Cloud Networks page, click Start VCN Wizard.
  3. In the Start VCN Wizard dialog box, select Create VCN with Internet Connectivity, and click Start VCN Wizard.
    The VCN wizard creates a VCN, public and private regional subnets, and internet, service, and NAT gateways. See Overview of Networking.
  4. In the Create a VCN with Internet Connectivity panel, provide the following information:
    1. Basic Information: Enter the VCN Name, and select the Compartment where you want to create your VCN and its components such as private and public subnet, internet gateway, NAT gateway, and service gateway.
    2. Configure VCN and Subnets: Provide the following information:
      Note

      It is recommended to accept the default values of the VCN and subnet configuration. Also, you cannot change these values of the configuration later.
      • VCN CIDR Block: Specify the CIDR block for the VCN. For example, 10.0.0.0/16 and 10.0.0.0/30.
        Note

        Specify a value between /16 and /30.
      • Public Subnet CIDR Block: Specify the public subnet CIDR block. For example, 10.0.0.0/24.
        Note

        The public subnet CIDR block must not overlap with the private subnet CIDR block.
      • Private Subnet CIDR Block: Specify the private subnet CIDR block. For example, 10.0.1.0/24.
        Note

        The private subnet CIDR block must not overlap with the public subnet CIDR block.
      • Use DNS hostnames in this VCN: If you plan to use VCN DNS or a third-party DNS, select the check box for instance hostname assignment.
    3. Tags: Click Show Tagging Options to open Tags. Specify or select the Tag Namespace, Tag Key, and Tag Value.
  5. Click Next.
  6. Review your settings, and click Create.
  7. Click View Virtual Cloud Network.
  8. Add ingress rules to allow traffic from authorized IP addresses. See Adding Ingress Rules Using the Console.
    Note

    If you are connecting to your DB system using a compute instance, Bastion session, or VPN, add the ingress rules to the security list of the private subnet. If you are connecting to your DB system using a network load balancer, that is, using a public IP address, add the ingress rules to the default security list of the public subnet.
A virtual cloud network is created.

Adding Ingress Rules Using the Console

Use the Console to add ingress rules to a virtual cloud network (VCN).

This task requires the following:
Do the following to add ingres rules:
  1. Open the navigation menu, select Networking, and then select Virtual Cloud Networks.
  2. Select your compartment from the List Scope.
  3. From the list of VCNs, click the name of your VCN to open the Virtual Cloud Network Details page.
  4. In the Virtual Cloud Network Details page, select Security Lists from the Resources section.
  5. From the list of security lists, do one of the following:
    • If you are connecting to your DB system using a compute instance, Bastion session, or VPN, click the security list of your private subnet.
    • If you are connecting to your DB system using a network load balancer, that is, using a public IP address, click the default security list of your public subnet.
  6. In the Security List Details page, click Add Ingress Rules.
  7. In the Add Ingress Rules dialog box, provide the following information:
    • Stateless: Do not select.
    • Source Type: Select CIDR.
    • Source CIDR: Specify the CIDR of the public subnet. If required, you can narrow down the range to more specific IP addresses:
      • 10.0.0.0/8: Allows traffic from 10.0.0.0 to 10.255.255.255 IP addresses, that is, a total of 16,777,216 IP addresses.
      • 10.0.0.0/16: Allows traffic from 10.0.0.0 to 10.0.255.255 IP addresses, that is, a total of 65,536 IP addresses.
      • 10.0.0.0/24: Allows traffic from 10.0.0.0 to 10.0.0.255 IP addresses, that is, a total of 256 IP addresses.
      • 10.0.2.24/32: Allows traffic from 10.0.2.24 IP address only.
    • IP Protocol: Select TCP.
    • Source Port Range: Leave it blank.
    • Destination Port Range: Specify the port to which the DB system listens. The default value for MySQL Classic is 3306 and for MySQL X Protocol is 33060.
      Note

      To add multiple destination ports simultaneously, add them as a comma-separated list. For example, to add ingress rules for ports 3306 and 33060 simultaneously, enter 3306,33060.
    • Description: Add a descriptive string for the ingress rules.
  8. Click Add Ingress Rules.
The ingress rule is added to the security list of the subnet.

Bastion Session

Oracle Cloud Infrastructure Bastion session provides restricted and time-limited access to target resources that do not have public endpoints.

Bastion sessions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When you connect using a Bastion session, you can interact with the target resource by using any software or protocol supported by SSH. For example, you can use the Remote Desktop Protocol (RDP) to connect to a Windows host, or use Oracle Net Services to connect to a database. Bastions also allow connections to MySQL DB systems.

VPN Connections

Use site-to-site VPN, FastConnect, or OpenVPN Access Server to bridge your local network with your Oracle Cloud Infrastructure VCN.

Use any of the following VPN connection methods to connect to your virtual cloud network (VCN):

  • Site-to-site VPN: Provides a site-to-site IPSec VPN between your on-premises network and your VCN over a secure, encrypted connection. See Site-to-Site VPN.
  • FastConnect: Provides a dedicated private connection between your data center and Oracle Cloud Infrastructure. It provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. See FastConnect Overview.
  • OpenVPN Access Server: Connects your client devices directly to Oracle cloud resources, such as MySQL DB systems. You cannot use OpenVPN Access Server to connect entire sites or networks to an Oracle VCN; in that scenario, it is recommended to use Site-to-site VPN or FastConnect. See OpenVPN Access Server.
    Note

    OpenVPN Access Server is available in the Oracle Cloud Infrastructure Marketplace. It is free to install and you can use for two simultaneous VPN connections. See OpenVPN Access Server Pricing.

OpenVPN Access Server

Use OpenVPN Access Server to connect your client devices directly to Oracle cloud resources, such as MySQL DB systems.

Note

Use site-to-site VPN or FastConnect to connect entire sites or networks to an Oracle VCN.
  1. Create an OpenVPN stack. The OpenVPN stack consists of a compute instance running the Access Server. The stack is attached to the same VCN your DB system is attached to, and you need to configure the network to enable external connections to the Access Server. See Creating an OpenVPN Stack Using the Console.
  2. Configure the OpenVPN Access Server to route traffic to your DB system. It includes configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN user. See Configuring an OpenVPN Access Server Using the Console.
  3. Install and configure a VPN client to use with your OpenVPN Access Server and connect to your DB System. See your VPN client documentation.
  4. Configure your VCN to allow communications from the OpenVPN Access Server to the MySQL DB system attached to the private subnet. See Configuring a VCN for OpenVPN Access Server Connections Using the Console.
Note

It is recommended to secure your OpenVPN connection with a shared secret key. See Hardening OpenVPN Security.

Creating an OpenVPN Stack Using the Console

Use the Console to create an OpenVPN Stack, which consists of a compute instance running the Access Server, to enable external connections to the Access Server.

This task requires the following:

Do the following to create an OpenVPN Stack:

  1. Open the navigation menu, select Marketplace, and then select All Applications.
  2. In the search box, search for OpenVPN Access Server, and click OpenVPN Access Server.
  3. Select the compartment you created the VCN in, and select the terms and conditions check box.
  4. Click Launch Stack.
  5. In the Stack Information panel of the Create Stack page, provide the following information:

    Stack Information:

    • Name: (Optional) Specify a name for the Stack.
    • Description: (Optional) Specify a description of the Stack.
    Note

    You cannot edit the Create in Compartment or Terraform version fields.
  6. Click Next.
  7. In the Configure Variables panel, provide the following information:

    Compute Configuration:

    • OpenVPN Access Server Name: Specify a unique name for your Access Server.
    • Compute Shape: Select a shape of the compute instance.

    Application Configuration:

    • Administrator Username: Specify an administrator username to log into the administration portal. The username should start with a lowercase letter and contain only alphanumeric characters .
      Note

      Do not use openvpn for the Administrator Username. It is a reserved username.
    • Administrator Password: Specify the administrator password. The password should be at least eight alphanumeric characters long and should not contain any special characters.
    • Activation Key: (Optional) Specify the activation key, which you purchase from OpenVPN, if you intend to use more than two VPN connections with this Access Server compute instance.
    Network Configuration:
    • Network Strategy: Select Use Existing VCN.
    • Existing Network: Select the VCN to which your DB system is attached.
    • Existing Subnet: Select the public subnet of your VCN.
    Additional Configuration:
    • Compartment: Select the compartment in which you want to create all resources. By default, it is set to the compartment that you specify on the Marketplace page.
    • Public SSH Key String: (Optional) Specify the public SSH key to access the compute instance using SSH. You do not need to specify the string if you use the administration page of the Access Server.
  8. Click Next to open the Review page.
  9. Confirm your settings and click Create.
The Resource Manager Job Details page is displayed. The Logs section lists the details of the created stack and the login details of the Access Server in the following format:
Outputs:admin_password = ********
admin_username = username
instance_public_url = https://193.122.164.108/admin
Here, instance_public_url is the public IP of the compute instance hosting the Access Server. Note these details as you need them in subsequent tasks.

Configuring an OpenVPN Access Server Using the Console

Use the Console to configure an OpenVPN Access Server to route traffic to your DB system.

This task requires the following:
Do the following to configure an OpenVPN Access Server:
  1. Load the OpenVPN Access Server Administration tool using the IP address and credentials that you get in the instance_public_url field at the end of creating the OpenVPN stack:
    https://<IPAddress>/admin
  2. Open the navigation menu, select Configuration, then select VPN Settings.
  3. Specify a static IP in the Static IP Address Network field. A static IP is preferred because you must also configure ingress rules for this IP address on the subnet of your VCN. If you used a dynamic address, you have to update the ingress rules each time the address was reassigned.
    Note

    The dynamic IP address field is mandatory. Do not change the default value, similar to 172.27.233.0/24. When specifying the value for your static network, use a similar value, such as 172.27.232.0/24.
  4. In the Routing section, select Yes, using Routing and add the CIDR blocks of the private and public subnets to which the VPN clients require access. These are the CIDR blocks of the subnets attached to your VCN. For example: 10.0.0.0/24 and 10.0.1.0/24.
  5. Click Save Settings.
  6. Open the navigation menu, select User Management, then User Permissions.
  7. In the User Permissions dialog box, enter a username in the New Username field, and click the More Settings icon in the adjacent column.
  8. Provide the following information:
    • Password: Specify a password for the new user.
    • Select IP Addressing: Select Use Static.
    • VPN Static IP Address: Specify the IP address to assign to the new user. This IP address must be in the range defined in the Static IP Address Network field of the VPN Configuration.
    • Select addressing method: Select Use Routing.
    • Allow access to these networks: Specify the IP addresses of the public and private subnets, as mentioned in the Routing section of the VPN configuration.
  9. Save the user. Log out, and log in using the new user credentials. Download the profile, client.ovpn, using the Yourself (user-locked profile) link at the bottom of the page.
  10. Import the profile to the OpenVPN client. See OpenVPN documentation.
  11. Configure your network to accept connections from the OpenVPN Access Server.

Configuring a VCN for OpenVPN Access Server Connections Using the Console

Use the Console to configure a virtual cloud network to enable communications from the OpenVPN Access Server to the MySQL DB system attached to the private subnet.

This task requires the following:
Do the following to configure a virtual cloud network (VCN):
  1. Open the navigation menu, select Networking, and then select Virtual Cloud Networks.
  2. Click on the name of your VCN.
  3. In the Virtual Cloud Network Details page, under Subnets, click the name of your private subnet.
  4. In the Subnet Details page, click the Route Table.
  5. Click Add Route Rules and provide the following information:
    • Target Type: Select Private IP.
    • Destination Type: Select CIDR Block.
    • Destination CIDR Block: Specify the CIDR block you defined in the Static IP Address Network field of the OpenVPN Access Server VPN Settings.
    • Target Selection: Specify the private IP address of the compute instance of the OpenVPN Access Server .
  6. Click Add Route Rules.
  7. Navigate to the Security List Details page of your private subnet.
  8. Add ingress rules for the VPN Static IP addresses. The default MySQL ports are 3306 and 33060.