DigitalOcean provides a convenient Managed Database service for those who do not want to worry about configuring and maintaining their own database clusters. It offers both SQL and NoSQL options, and can be deployed in minutes.
Managed databases are deployed into specific regions. They are accessible via both a public endpoint and the VPC they are deployed in, but what if you want to access the database over a private endpoint from other regions, or even from another cloud provider.
For instance, I have an application in Region A, but it needs data from a managed database running in Region B. What can I do?
This tutorial shows how to securely access a managed database from outside of the region in which it is deployed.
If you do not already have a Netmaker instance, deploy it in the same region as your managed database.
A DigitalOcean account. Sign up for free if you don’t already have one.
Create a Netmaker account by logging into https://dashboard.license.netmaker.io. You will need this for a free Netmaker license.
[Recommended] Prepare a dedicated subdomain for Netmaker, such as “nm.yourcompany.com.” We will use a wildcard from this subdomain for Netmaker.
Create a Netmaker Droplet
Recommended Settings: if desired, Netmaker can run with 1GB RAM, but we recommend 2GB or larger for production
Setup DNS: point the wildcard domain from the prerequisites (e.g. *.nm.yourdomain.com) to the IP of the 1-Click Droplet.
Log into your Netmaker Droplet
Upon login, you will be prompted with a series of steps to install Netmaker. You can use either Community or Enterprise, but we recommend Enterprise, since it has extra features and a generous free tier.
Once everything looks right and you’ve hit confirm, the install script will run. This will take about 5 minutes.
Log into the Netmaker dashboard and create a username and password for the Netmaker server.
If Netmaker is deployed into the same region as your managed database, skip this step.
Otherwise, you need to deploy a Node into the same Region as the DB, which will act as the Gateway to access the DB. We will refer to this machine as the “egress node” throughout the tutorial.
curl -sL 'https://apt.netmaker.org/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/netclient.asc
curl -sL 'https://apt.netmaker.org/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/netclient.list
sudo apt update
sudo apt -y install netclient
Next, join the network. In Netmaker, go to the “Access Keys” section, click on the access key, and copy the “Join” command. It should look like this:
netclient join -t anvkr48twsigahkguashleawjieg
An “egress gateway” is Netmaker terminology for a “node” (machine in the network) which routes traffic to a particular set of local addresses, for instance, a VPC, or a single machine inside a VPC. In this case, the egress gateway will route traffic to the managed database.
Make the Egress Node a trusted source for the managed server (managed DB server, settings tab, trusted sources)
Get the private subdomain for the database by looking at the connection details on the DO control panel
Get the private IP of the database using nslookup from the Egress Node: nslookup <subdomain>
Determine the interface used for the private address: ip route get < private address>
Go to your Nodes In the Netmaker dashboard
Click “Create Egress Gateway” on the Egress Node
(side note) Rather than use the database address, you can use the entire region subnet, which will make this a Gateway to the entire region. This is useful for remote access to Regions generally.
Confirm that the Egress Node can connect to database normally:
sudo apt install postgresql-client-common
sudo apt install postgresql-client
psql “< connection string from VPC tab connection string dropdown on DigitalOcean managed DB server>”
If you want the Database to be accessible over Private DNS, rather than an IP address, go to the DNS tab of your Netmaker server, and add an entry, pointing it to the private IP address of the database. For instance: db.netmaker.
sudo apt install postgresql-client-common
sudo apt install postgresql-client
psql postgresql://doadmin:<password>@db.netmaker:25060/defaultdb
To access the database from anywhere in the world, follow the same steps as above; just SSH to a machine, install the Netclient, and join the network!
Check out the following related articles: