Dataphin:VPN Gateway and ECS Reverse Proxy Solution

Solution Overview

• VPN connections may break due to public network issues such as Internet jitter or packet loss. If your business requires high network reliability, consider using Alibaba Cloud Express Connect. Express Connect uses a leased line, which offers higher stability but at a higher cost. For more information, see Connection over an Express Connect circuit.

• The VPN Gateway and ECS reverse proxy solution incurs costs only for ECS instances and VPN bandwidth. It does not require a public IP address, making it a low-cost option.

Network Architecture

The following network architecture shows how Dataphin connects through a reverse proxy on an ECS instance using a VPN Gateway:

Prerequisites

Before you use IPsec-VPN to connect your VPC to your on-premises data center, ensure that the following conditions are met:

• Verify your on-premises gateway device. Alibaba Cloud VPN Gateway supports standard IKEv1 and IKEv2 protocols. Any device that supports these protocols can interconnect with the cloud-based VPN Gateway. Examples include Huawei, H3C, Hillstone, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM, and Ixia devices.

• Your on-premises gateway device has a static public IP address configured.

• Your on-premises data center CIDR block does not overlap with your VPC CIDR block.

Procedure

Step 1: Create an ECS Instance and a VPC

Step 2: Set Up a VPN Connection

Step 1: Connect Your VPC to Your On-Premises Data Center

This solution uses IPsec-VPN to connect your VPC to your on-premises data center. This enables communication between your on-premises data center and your VPC.

Step 2: Create a VPC

1. Log on to the VPC console.

2. In the navigation pane on the left, click Virtual Private Cloud.

3. On the Virtual Private Cloud page, click Create Virtual Private Cloud.

4. On the Create Virtual Private Cloud page, configure the VPC based on the following information.

   Parameter	Description
   Virtual Private Cloud
   Region	Select the region where Dataphin is deployed. For example, if Dataphin is deployed in the China (Hangzhou) region, select China (Hangzhou) for the VPC.
   Name	Enter a name for the VPC. The name must be up to 128 characters in length and cannot start with http:// or https://. This topic uses Hangzhou VPC for On-Premises Data Center as an example.
   IPv4 CIDR Block	Enter the IPv4 CIDR block for the VPC. We recommend using RFC private IP addresses. Examples include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Ensure that your address plan avoids conflicts in multi-VPC or hybrid cloud scenarios. This topic uses 192.168.0.0/16 as an example. Important You cannot use 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, or 169.254.0.0/16 as your VPC CIDR block.
   IPv6 CIDR Block	The IPv6 CIDR block that is allocated to the VPC consists of global unicast addresses. After an instance in the VPC is assigned an IPv6 address, the instance can access the Internet through an IPv6 gateway. This configuration is not assigned by default.Not Assigned.
   Description	Enter a description for the VPC. The description must be up to 256 characters in length.
   vSwitch To ensure high availability across zones, create two vSwitches in different zones.
   Name	Enter a name for the vSwitch. The name must be up to 128 characters in length. This topic uses Primary vSwitch as an example.
   Zone	A zone is a physical location within a region that has independent power and network infrastructure. Instances in the same zone have lower network latency and faster access speeds. This topic uses Zone H as an example.
   IPv4 CIDR Block	The vSwitch CIDR block must be a proper subset of its VPC CIDR block. The subnet mask must be between /16 and /29, providing 8 to 65,536 IP addresses. This topic uses 192.168.1.0/24 as an example.

5. Click OK to complete the VPC creation.

Step 3: Create a VPN Gateway

1. In the navigation pane on the left, click VPN and then click VPN Gateway.

2. On the VPN Gateway page, click Create VPN Gateway.

3. On the VPN Gateway purchase page, configure the VPN Gateway based on the following information.

   Parameter	Description
   Instance Name	Enter a name for the VPN Gateway instance.
   Resource Group	Select an existing resource group to manage resources under your Alibaba Cloud account. You can use resource groups to manage permissions, deploy resources, and monitor resources without handling each resource individually. For example, select Default Resource Group.
   Region and Zone	Ensure that the VPC and VPN Gateway are in the same region. Select China (Hangzhou).
   Gateway Type	Select Standard.
   Network Type	Default: Internet.
   Tunnel	Default: Dual Tunnel.
   VPC	Select Hangzhou VPC for On-Premises Data Center.
   vSwitch 1	Select Primary vSwitch.
   vSwitch 2	Select Secondary vSwitch.
   Bandwidth Specification	Select a bandwidth specification. This is the Internet bandwidth available to the VPN Gateway. Default: 5 Mbit/s.
   IPsec-VPN	Select Enable IPsec-VPN.
   SSL-VPN	SSL-VPN lets you connect a single computer from any location to your VPC. Default: Disabled.
   Billing Cycle	Select the subscription duration. Default: One month.

4. Click Buy Now and complete payment to create the VPN Gateway.

   Note

   Creating a VPN Gateway usually takes 1 to 5 minutes.

Step 4: Create a Customer Gateway

1. In the navigation pane on the left, click VPN and then click Customer Gateway.

2. On the Customer Gateway page, click Create Customer Gateway.

3. On the Create Customer Gateway panel, configure the customer gateway based on the following information.

   Parameter	Description
   Name	Enter a name for the customer gateway. The name must be up to 100 characters in length.
   IP Address	Enter the public IP address of your on-premises gateway device.
   Autonomous System Number (ASN)	Enter a positive integer from 0 to 4294967295. You can enter the ASN in two 16-bit segments, using decimal notation for each segment. Default: Not specified.
   Description	Enter a description for the customer gateway. The description must be up to 100 characters in length and cannot start with http:// or https://.
   Resource Group	Select an existing resource group to manage resources under your Alibaba Cloud account. You can use resource groups to manage permissions, deploy resources, and monitor resources without handling each resource individually. For example, select Default Resource Group.
   Tag	Enter a tag key and tag value. Attach tags to the customer gateway for easier management later.

4. Click Confirm to complete the customer gateway creation.

Step 5: Create an IPsec-VPN Connection

1. In the navigation pane on the left, click VPN and then click IPsec-VPN Connections.

2. On the IPsec-VPN Connections page, click Create IPsec-VPN Connection.

3. On the Create IPsec-VPN Connection page, configure the IPsec-VPN connection based on the following information.

   Parameter	Description
   Name	Enter a name for the IPsec-VPN connection. The name must be up to 100 characters in length.
   Resource Group	Select an existing resource group to manage resources under your Alibaba Cloud account. You can use resource groups to manage permissions, deploy resources, and monitor resources without handling each resource individually. For example, select Default Resource Group.
   Bound Resource	Select VPN Gateway.
   VPN Gateway	Select the VPN Gateway you created.
   Routing Mode	If you select destination-based routing, both local and remote CIDR blocks are set to 0.0.0.0/0. After creating the IPsec-VPN connection, manually add policy-based or destination-based routes in the VPN Gateway.
   Effective Immediately	Yes: Negotiation starts immediately after configuration. No: Negotiation starts when traffic arrives.
   Customer Gateway	Select the customer gateway to connect to.
   Pre-Shared Key	Enter a shared key. This key must match the pre-shared key on your on-premises gateway device.
   Enable BGP	Your gateway device must support Border Gateway Protocol (BGP). Do not enable BGP if your customer gateway device does not support it. Default: Disabled.
   Encryption Configuration, Health Check, Advanced Configuration	This solution uses the default configurations. No changes are needed.
   Tag	Enter a tag key and tag value. Attach tags to the IPsec-VPN connection for easier management later.

4. Click OK to create the customer gateway.

Step 6: Load the VPN Configuration on Your On-Premises Gateway Device

1. In the navigation pane on the left, click VPN and then click IPsec-VPN Connections.

2. On the IPsec-VPN Connections page, select the IPsec-VPN connection you created and click Download Configuration in the Actions column.

3. Add the downloaded configuration to your on-premises gateway device according to its requirements. For configuration instructions, see Configure an H3C firewall.

   Important

   In the downloaded configuration, the values for RemotSubnet and LocalSubnet are reversed compared to those used when creating the IPsec-VPN connection. In Alibaba Cloud VPN Gateway, RemotSubnet refers to your on-premises IDC CIDR block, and LocalSubnet refers to your VPC CIDR block. In your on-premises gateway device, LocalSubnet refers to your on-premises IDC CIDR block, and RemotSubnet refers to your Alibaba Cloud VPC CIDR block.

Step 7: Configure Routes for the VPN Gateway

1. In the navigation pane on the left, click VPN and then click VPN Gateway.

2. On the VPN Gateway page, select the target VPN Gateway and click its ID in the Instance ID/Name column.

3. On the Destination Route Table tab, click Create Route.

4. On the Create Route page, configure the route based on the following information.

   Parameter	Description
   Destination CIDR Block	Enter the private network CIDR block of your on-premises data center.
   Next Hop	Select the IPsec-VPN connection instance.
   Publish to VPC	Choose whether to publish the new route to the VPC route table. In this example, select Yes.
   Weight	Select a weight value. In this example, select 100.

5. Click OK to complete the VPN Gateway route configuration.

Step 3: Test the VPN Connection

1. Log on to an ECS instance in your Alibaba Cloud VPC that has no public IP address. Run the ping command to ping a private IP address of a server in your on-premises data center. Verify that communication is normal.

   If the packet loss is 0% and the rtt avg is less than 10 ms, the network is healthy.

   [root@iZuf61cvux96rhus9ufhq0Z conf]# ping -c 100 xxx.xxx.xxx.xxx
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=61 time=7.52 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=61 time=7.38 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=61 time=7.10 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=4 ttl=61 time=7.55 ms
   64 bytes from xxx.xxx.xxx.xxx: icmp_seq=5 ttl=61 time=7.11 ms
   ........
   --- xxx.xxx.xxx.xxx ping statistics ---
   100 packets transmitted, 100 received, 0% packet loss, time 99121ms
   rtt min/avg/max/mdev = 6.999/7.454/8.415/0.267 ms

2. Use the telnet command to verify the backend server port status. If you see the response shown below, the port is listening.

   [root@iZuf61cvux96rhus9ufhq0Z conf]# telnet xxx.xxx.xxx.xxx 1521
   Trying xxx.xxx.xxx.xxx...
   Connected to xxx.xxx.xxx.xxx.
   Escape character is '^]'.

Step 4: Configure Reverse Proxy for Data Sources and Keepalive

Step 1: Install NGINX and Configure Reverse Proxy for Data Sources

1. Use SSH to log on to the ECS instance. Example command:

   ssh root@192.168.***.1   //root is the username for logging on to the ECS instance. Replace 192.168.***.1 with the actual IP address of your ECS instance.

2. In the shell terminal, run the following commands to compile and install NGINX.

   mkdir -p /usr/local/src && cd /usr/local/src // Create the src directory and switch to it
   
   wget https://nginx.org/download/nginx-1.16.1.tar.gz // Download NGINX
   
   tar zxvf nginx-1.16.1.tar.gz && cd /usr/local/src/nginx-1.16.1 // Extract the installation package
   
   yum install lrzsz python-devel gcc gcc-c++ pcre pcre-devel patch unzip zlib zlib-devel openssl openssl-devel git jemalloc -y // Install dependency packages
   
   ./configure --with-http_ssl_module --with-http_stub_status_module --prefix=/usr/local/nginx --with-http_v2_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-pcre-jit --with-pcre --with-stream // Configure NGINX compilation. Note: You must enable the stream module for Layer 4 proxy support.
   
   make && make install // Install NGINX

3. After successfully installing NGINX, configure NGINX to reverse proxy data sources by following these steps.

   1. Back up the nginx.conf configuration file.

      cd  /usr/local/nginx/conf/ && cp nginx.conf nginx.conf.bak 

   2. Edit the configuration file using vim nginx.conf and replace it with the following configuration.

      user  nobody;
      worker_processes  8;
      events {
          worker_connections  1024;
      }
      stream {
          server{
              listen 61521 so_keepalive=on;       ##Configure the listening port and socket keepalive. Without keepalive, persistent connections are not supported.
              proxy_pass xxx.xxx.xxx.xxx :1521;    ##Configure the IP address and port of the database service in your on-premises data center. Replace the IP address and port with those of your actual database service.
              proxy_timeout 72h;           ##Configure the proxy timeout. We recommend setting it to 72 hours.
          }
      }

   3. Edit and configure NGINX to start automatically at boot using vim /etc/init.d/nginx.

      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig:   - 85 15
      # description:  NGINX is an HTTP(S) server, HTTP(S) reverse \
      #               proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config:      /etc/nginx/nginx.conf
      # config:      /etc/sysconfig/nginx
      # pidfile:     /var/run/nginx.pid
      # Source function library.
      . /etc/rc.d/init.d/functions
      # Source networking configuration.
      . /etc/sysconfig/network
      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0
      nginx="/usr/local/nginx/sbin/nginx"
      prog=$(basename $nginx)
      NGINX_CONF_FILE="//usr/local/nginx/conf/nginx.conf"
      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
      lockfile=/var/lock/subsys/nginx
      make_dirs() {
         # make required directories
         user=`$nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
         if [ -z "`grep $user /etc/passwd`" ]; then
             useradd -M -s /bin/nologin $user
         fi
         options=`$nginx -V 2>&1 | grep 'configure arguments:'`
         for opt in $options; do
             if [ `echo $opt | grep '.*-temp-path'` ]; then
                 value=`echo $opt | cut -d "=" -f 2`
                 if [ ! -d "$value" ]; then
                     # echo "creating" $value
                     mkdir -p $value && chown -R $user $value
                 fi
             fi
         done
      }
      start() {
          [ -x $nginx ] || exit 5
          [ -f $NGINX_CONF_FILE ] || exit 6
          make_dirs
          echo -n $"Starting $prog: "
          daemon $nginx -c $NGINX_CONF_FILE
          retval=$?
          echo
          [ $retval -eq 0 ] && touch $lockfile
          return $retval
      }
      stop() {
          echo -n $"Stopping $prog: "
          killproc $prog -QUIT
          retval=$?
          echo
          [ $retval -eq 0 ] && rm -f $lockfile
          return $retval
      }
      restart() {
          configtest || return $?
          stop
          sleep 1
          start
      }
      reload() {
          configtest || return $?
          echo -n $"Reloading $prog: "
          killproc $nginx -HUP
          RETVAL=$?
          echo
      }
      force_reload() {
          restart
      }
      configtest() {
        $nginx -t -c $NGINX_CONF_FILE
      }
      rh_status() {
          status $prog
      }
      rh_status_q() {
          rh_status >/dev/null 2>&1
      }
      case "$1" in
          start)
              rh_status_q && exit 0
              $1
              ;;
          stop)
              rh_status_q || exit 0
              $1
              ;;
          restart|configtest)
              $1
              ;;
          reload)
              rh_status_q || exit 7
              $1
              ;;
          force-reload)
              force_reload
              ;;
          status)
              rh_status
              ;;
          condrestart|try-restart)
              rh_status_q || exit 0
                  ;;
          *)
              echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
              exit 2
      esac

   4. You can add the item to startup.

      chmod a+x /etc/init.d/nginx && chkconfig --add /etc/init.d/nginx   

   5. Restart NGINX.

      service nginx status && service nginx restart

Step 2: Test Whether the Reverse Proxy Is Working

Use the netstat command to check whether the port is listening. In the example below, port 61521 is listening.

root@iZuf61cvux96rhus9ufhq0Z conf]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:61521           0.0.0.0:*               LISTEN      1333/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1346/sshd

Step 3: Add Dataphin IP Ranges to the ECS Security Group

In the Alibaba Cloud ECS security group, add the Dataphin IP ranges.

Step 4: Test Connectivity to the Reverse Proxy Port

From any server other than the NGINX proxy server, use the telnet command to connect to the NGINX proxy server. Confirm the port status. In the example below, port 61521 is reachable.

 lxxxx@liaxxxxxook-Pro:  telnet xxx.xxx.xxx.xxx 61521
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

Step 5: Test Connectivity Between Dataphin and the Proxied Data Source

When creating a data source in Dataphin, set Type to ECS (VPC) Self-Managed Database. Enter the connection details and click Test Connection to test connectivity. If the test succeeds, the connection is working and the reverse proxy is configured correctly.