Dataphin:VPN gateway ECS reverse proxy solution

Solution description

• Due to potential Internet jitter, congestion, and other public network issues, VPN connections may be disrupted. If your business demands high-quality network connectivity, consider Alibaba Cloud Express Connect, which offers leased lines for a higher cost. For more information, see Connection over an Express Connect circuit.

• The VPN Gateway ECS reverse proxy solution incurs only ECS and VPN bandwidth fees, eliminating the need for a public IP address and offering a cost-effective approach.

Network architecture

The network architecture for connecting Dataphin via the VPN Gateway ECS reverse proxy is as follows:

Prerequisites

Before establishing a VPN connection from the VPC to the on-premises data center using the IPsec-VPN feature, ensure the following conditions are met:

• Verify that the data center gateway devices support the standard IKEv1 and IKEv2 protocols, which are compatible with Alibaba Cloud VPN gateways. Compatible devices include those from Huawei, H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia.

• Ensure that static public IP addresses are assigned to the gateway devices in the data center.

• Confirm that the CIDR block of the data center does not overlap with the CIDR block of the VPC.

Procedure

Step 1: Activate ECS and VPC

Step 2: Establish a VPN connection

Step 1: Establish a connection from the VPC to the data center

This solution utilizes IPsec-VPN to create a VPN connection from the VPC to the data center, enabling interconnectivity between the two.

Step 2: Create a virtual private cloud

1. Log on to the VPC Management Console.

2. In the left-side navigation pane, click Virtual Private Cloud.

3. On the Virtual Private Cloud page, click Create VPC.

4. On the Create VPC page, configure the VPC based on the following information.

   Parameter	Description
   VPC
   Region	Select the region based on Dataphin's location. For example, if Dataphin is in Hangzhou, choose Hangzhou as the private network region.
   Name	Enter the private network's name, up to 128 characters, avoiding http:// or https://. This example uses Local data center to Hangzhou VPC network.
   Ipv4 CIDR Block	Specify the IPv4 CIDR block for the private network. We recommend a private RFC CIDR block, such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. In scenarios with multiple interconnected VPCs or hybrid cloud setups, ensure there are no address conflicts. This example uses 192.168.0.0/16. Important Avoid using 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as the VPC CIDR block.
   Ipv6 CIDR Block	The IPv6 CIDR block allocated to the VPC consists of global unicast addresses. Instances in the VPC with an IPv6 address can access the Internet through an IPv6 gateway. By default, this solution does Not Allocate an IPv6 CIDR block.
   Description	Provide a brief description of the private network, up to 256 characters.
   Switch To ensure high availability across zones, create virtual switches in two different zones.
   Name	Enter the switch name, up to 128 characters. This example uses Main Switch as the name.
   Zone	A zone is an isolated location within a region with independent power and network resources, ensuring low latency between instances. For this example, select Zone H.
   Ipv4 CIDR Block	The CIDR block for the switch must be a subset of the VPC CIDR block, with a mask between 16 and 29 bits, providing 8 to 65,536 addresses. Use 192.168.1.0/24 as an example.

5. Click Confirm to finalize the VPC creation.

Step 3: Create a VPN gateway

1. In the left-side navigation pane, click VPN -> VPN Gateway.

2. On the VPN Gateway page, click Create VPN Gateway.

3. On the VPN Gateway purchase page, configure your VPN gateway using the information provided below.

   Parameter	Description
   Instance Name	Provide the VPN gateway's instance name.
   Resource Group	Select an existing resource group for organizing resources under your Alibaba Cloud account, such as Default Resource Group, for easier management.
   Region And Zone	Ensure the VPN gateway and VPC are in the same region, such as China (Hangzhou).
   Gateway Type	Choose Standard for the gateway type.
   Network Type	The default network type is Public.
   Tunnel	The default tunnel configuration is Dual Tunnel.
   VPC	Select the VPC you created, such as Local data center to Hangzhou VPC network.
   Virtual Switch 1	Choose the primary virtual switch, such as Main Switch.
   Virtual Switch 2	Select the secondary virtual switch, such as Backup Switch.
   Bandwidth Specification	Choose a bandwidth specification for data transfer over the Internet, such as the default 5Mbps.
   IPsec-VPN	Enable the IPsec-VPN feature.
   SSL-VPN	SSL-VPN allows clients to connect to a VPC from any location. The default setting is Disabled.
   Billing Cycle	Choose the subscription duration; the default setting is one month.

4. Click Buy Now and complete the payment to create the VPN gateway.

   Note

   The creation of a VPN gateway typically takes 1 to 5 minutes.

Step 4: Create a customer gateway

1. In the left-side navigation pane, click VPN > Customer Gateway.

2. On the Customer Gateway page, click Create Customer Gateway.

3. In the Create Customer Gateway drawer, enter the required information as follows.

   Parameter	Description
   Name	Provide a name for the customer gateway, up to 100 characters.
   IP Address	Enter the public IP address of the on-premises data center gateway device that will connect to the VPC.
   Autonomous System Number	Enter a positive integer between 0 and 4294967295 for the autonomous system number. Two-segment input is supported, with each segment using decimal input. The default is Not filled.
   Description	Provide a brief description of the customer gateway, up to 100 characters, avoiding http:// or https://.
   Resource Group	Select an existing resource group for organizing resources under your Alibaba Cloud account, such as Default Resource Group, for easier management.
   Tag	Enter the tag key and value to facilitate management of the customer gateway based on tags.

4. Click Confirm to complete the creation of the customer gateway.

Step 5: Create an IPsec connection

1. In the left-side navigation pane, click VPN -> IPsec Connection.

2. On the IPsec Connection page, click Create IPsec Connection.

3. On the Create IPsec Connection page, configure the IPsec connection according to the following details.

   Parameter	Description
   Name	Enter a name for the IPsec connection, up to 100 characters.
   Resource Group	Select an existing resource group, like Default Resource Group, for streamlined management.
   Bind Resource	Choose the VPN Gateway you have created.
   VPN Gateway	Select the VPN gateway from the list.
   Routing Mode	Choose the routing mode. If you select destination-based routing, both local and remote CIDR blocks are 0.0.0.0/0. After establishing the IPsec connection, you will need to manually add policy-based or destination-based routing within the VPN gateway.
   Immediate Effect	Yes: The connection will initiate immediately after configuration. No: The connection will initiate when traffic is detected.
   Customer Gateway	Select the customer gateway you wish to connect to.
   Pre-shared Key	Input the pre-shared key, which must match the key on the on-premises gateway device.
   Enable BGP	Activate BGP if your gateway device supports the Border Gateway Protocol (BGP). If BGP is not supported by your device, leave it disabled.
   Encryption Configuration, Health Check, Advanced Configuration	Default system configurations are used for this solution, and no modifications are required.
   Tag	Enter the tag key and value to facilitate management of the IPsec connection based on tags.

4. Click Confirm to finalize the IPsec connection setup.

Step 6: Load VPN configuration on the on-premises gateway device

1. In the left-side navigation pane, click VPN -> IPsec Connection.

2. On the IPsec Connection page, select the IPsec connection you created and click Download Peer Configuration under the Action column.

3. Load the downloaded configuration onto the on-premises gateway device according to its specific requirements. For guidance, refer to Configure an on-premises gateway device.

   Important

   Note that in the downloaded configuration, 'RemotSubnet' and 'LocalSubnet' are reversed compared to the local and remote CIDR blocks specified during the IPsec connection setup. This is because the Alibaba Cloud VPN gateway's peer is the IDC's CIDR block, and the local is the VPC CIDR block. Conversely, for the on-premises gateway device, 'LocalSubnet' refers to the IDC's CIDR block, and 'RemotSubnet' refers to the Alibaba Cloud VPC's CIDR block.

Step 7: Configure VPN gateway routing

1. In the left-side navigation pane, click VPN -> VPN Gateway.

2. On the VPN Gateway page, select the VPN gateway and click its instance ID under the Instance ID/Name column.

3. Navigate to the Destination Route Table tab and click Add Route Entry.

4. In the Add Route Entry dialog, enter the destination route details as follows.

   Parameter	Description
   Destination CIDR Block	Input the local IDC data center's private network CIDR block.
   Next Hop	Choose the IPsec-VPN connection instance as the next hop.
   Publish to VPC	Decide whether to advertise the route to the VPC route table. For this example, select Yes.
   Weight	Set the weight value, such as 100, for this route.

5. Click Confirm to apply the VPN gateway routing configuration.

Step 3: VPN connection test

1. Log on to an ECS instance without a public IP in the Alibaba Cloud VPC, and use the ping command to ping the private IP address of a server in the local IDC data center to verify whether the communication is normal.

   A successful test shows 0% packet loss and an rtt avg within 10ms, indicating a stable network connection.

   [root@iZuf61cvux96rhus9ufhq0Z conf]# ping -c 100 xxx.xxx.xxx.xxx
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=61 time=7.52 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=61 time=7.38 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=61 time=7.10 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=4 ttl=61 time=7.55 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=5 ttl=61 time=7.11 ms
   ........
   --- xxx.xxx.xxx.xxx ping statistics ---
   100 packets transmitted, 100 received, 0% packet loss, time 99121ms
   rtt min/avg/max/mdev = 6.999/7.454/8.415/0.267 ms

2. Utilize the telnet command to verify the backend server interface status. A successful response indicates the port is in a listening state.

   [root@iZuf61cvux96rhus9ufhq0Z conf]# telnet xxx.xxx.xxx.xxx 1521
   Trying xxx.xxx.xxx.xxx...
   Connected to xxx.xxx.xxx.xxx.
   Escape character is '^]'.

Step 4: Reverse proxy data source service and keeplive configuration

Step 1: Install Nginx and reverse proxy data source service

1. SSH into the ECS instance using the following command:

   ssh root@192.168.***.1   //root is the username for logging into the ECS instance, and you need to replace 192.168.***.1 with the ECS instance IP address.

2. Compile and install Nginx on the ECS instance using the provided Shell commands.

   mkdir -p /usr/local/src && cd  /usr/local/src //Create src directory and switch
   
   wget https://nginx.org/download/nginx-1.16.1.tar.gz   //Download Nginx
   
   tar zxvf nginx-1.16.1.tar.gz &&  cd /usr/local/src/nginx-1.16.1  //Extract the installation package
   
   um install  lrzsz python-devel gcc gcc-c++ pcre  pcre-devel   patch   unzip   zlib  zlib-devel  openssl openssl-devel  git  jemalloc -y         //Install dependencies
   
   ./configure --with-http_ssl_module --with-http_stub_status_module --prefix=/usr/local/nginx  --with-http_v2_module  --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-pcre-jit --with-pcre --with-stream      //Compile nginx, ensure to install stream for Layer 4 proxy
   
   make && make install  //Install nginx

3. Configure Nginx to reverse proxy the data source service by following these steps:

   1. Back up the original nginx.conf file.

      cd  /usr/local/nginx/conf/ && cp nginx.conf nginx.conf.bak 

   2. Edit the nginx.conf file with vim nginx.conf and replace its content with the following configuration.

      user  nobody;
      worker_processes  8;
      events {
          worker_connections  1024;
      }
      stream {
          server{
              listen 61521 so_keepalive=on;       ##Configure the listening port and socket connection keepalive, otherwise long connections cannot be supported.
              proxy_pass xxx.xxx.xxx.xxx :1521;    ##Configure the IP and port of the database service in the local IDC data center that needs to be reverse proxied. Replace the IP and port according to the database service.
              proxy_timeout 72h;           ## Configure the proxy timeout, recommended to set to 72 hours.
          }
      }

   3. Modify the /etc/init.d/nginx file to configure Nginx to start upon boot.

      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig:   - 85 15
      # description:  NGINX is an HTTP(S) server, HTTP(S) reverse \
      #               proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config:      /etc/nginx/nginx.conf
      # config:      /etc/sysconfig/nginx
      # pidfile:     /var/run/nginx.pid
      # Source function library.
      . /etc/rc.d/init.d/functions
      # Source networking configuration.
      . /etc/sysconfig/network
      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0
      nginx="/usr/local/nginx/sbin/nginx"
      prog=$(basename $nginx)
      NGINX_CONF_FILE="//usr/local/nginx/conf/nginx.conf"
      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
      lockfile=/var/lock/subsys/nginx
      make_dirs() {
         # make required directories
         user=`$nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
         if [ -z "`grep $user /etc/passwd`" ]; then
             useradd -M -s /bin/nologin $user
         fi
         options=`$nginx -V 2>&1 | grep 'configure arguments:'`
         for opt in $options; do
             if [ `echo $opt | grep '.*-temp-path'` ]; then
                 value=`echo $opt | cut -d "=" -f 2`
                 if [ ! -d "$value" ]; then
                     # echo "creating" $value
                     mkdir -p $value && chown -R $user $value
                 fi
             fi
         done
      }
      start() {
          [ -x $nginx ] || exit 5
          [ -f $NGINX_CONF_FILE ] || exit 6
          make_dirs
          echo -n $"Starting $prog: "
          daemon $nginx -c $NGINX_CONF_FILE
          retval=$?
          echo
          [ $retval -eq 0 ] && touch $lockfile
          return $retval
      }
      stop() {
          echo -n $"Stopping $prog: "
          killproc $prog -QUIT
          retval=$?
          echo
          [ $retval -eq 0 ] && rm -f $lockfile
          return $retval
      }
      restart() {
          configtest || return $?
          stop
          sleep 1
          start
      }
      reload() {
          configtest || return $?
          echo -n $"Reloading $prog: "
          killproc $nginx -HUP
          RETVAL=$?
          echo
      }
      force_reload() {
          restart
      }
      configtest() {
        $nginx -t -c $NGINX_CONF_FILE
      }
      rh_status() {
          status $prog
      }
      rh_status_q() {
          rh_status >/dev/null 2>&1
      }
      case "$1" in
          start)
              rh_status_q && exit 0
              $1
              ;;
          stop)
              rh_status_q || exit 0
              $1
              ;;
          restart|configtest)
              $1
              ;;
          reload)
              rh_status_q || exit 7
              $1
              ;;
          force-reload)
              force_reload
              ;;
          status)
              rh_status
              ;;
          condrestart|try-restart)
              rh_status_q || exit 0
                  ;;
          *)
              echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
              exit 2
      esac

   4. Add the Nginx service to system startup.

      chmod a+x /etc/init.d/nginx && chkconfig --add /etc/init.d/nginx   

   5. Restart the Nginx service.

      service nginx status && service nginx restart

Step 2: Test whether the reverse proxy is effective

Check if the port is listening by using the netstat command. The following output indicates that port 61521 is active and listening.

root@iZuf61cvux96rhus9ufhq0Z conf]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:61521           0.0.0.0:*               LISTEN      1333/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1346/sshd

Step 3: Add Dataphin to ECS security group

Add Dataphin's IP range to the ECS security group. For example 47.xxx.xxx.182.

Step 4: Test whether the reverse proxy port is connected

Test the connection to the reverse proxy port from a non-Nginx proxy server to the Nginx proxy server using the telnet command. The following output confirms that port 61521 is reachable.

 lxxxx@liaxxxxxook-Pro:telnet xxx.xxx.xxx.xxx 61521
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

Step 5: Test whether the proxy service data source and Dataphin are connected

When setting up a data source in Dataphin, select Type as ECS(VPC) Self-managed Database. Enter the connection details and click Test Connection to verify connectivity. A successful test indicates that the connection is established and the reverse proxy is configured correctly.