Connecting On-Prem Databases to Looker Core through a secure mTLS Tunnel: A Deep Dive into Network Design
Looker Core, Google Cloud’s managed service for business intelligence and data analytics, offers a powerful platform for exploring and visualizing your data. However, when your databases reside on-premises, connecting them to your Looker Core instance requires careful network configuration. This blog post explores the intricacies of network design for Looker Core, focusing on solutions for on-premises database connectivity.
Understanding Looker Core Deployment
Looker Core operates within a Google Managed VPC, a secure and isolated environment within Google Cloud. This design enhances security but introduces challenges for accessing resources outside this VPC, such as your on-premises databases.
What is Stunnel?
Stunnel is an open-source tool that acts as a secure tunnel, adding TLS/SSL encryption to network connections for applications lacking built-in security. It intercepts connections, establishes an encrypted tunnel using TLS/SSL, and forwards the protected data to the server, effectively shielding the communication from eavesdropping or tampering. This is particularly useful for securing legacy applications, protecting sensitive data like database connections, and even creating VPNs. Importantly, Stunnel supports mutual TLS (mTLS) connectivity, where both the client and server authenticate each other using digital certificates, providing an extra layer of security by verifying the identities of both parties involved in the communication.
For our use case we will consider a MySQL database to be present on prem and a Looker Core instance provisioned on GCP. We will try to set up a secure mTLS connection from Looker Core to the on-prem MySQL database.
Connectivity Solutions
Two primary approaches address this challenge:
- Looker Core Public Instance
A public Looker Core instance lacks direct connectivity to your on-premises network. To bridge this gap, you need a proxy VM. This intermediary virtual machine, deployed as a Google Compute Engine (GCE) instance with an external IP address, acts as a secure conduit.
- Stunnel: This third-party tool plays a crucial role in establishing secure connections. Installed on the proxy VM, Stunnel client facilitates mutual TLS (mTLS) connections, ensuring encrypted communication between your VPC and your on-premises databases. Your team will need to generate the certificate and key from a certificate authority(CA) Following this you need to configure the Stunnel client on the VM to establish this secure link.
- Database Connection: Within your Looker Core instance, you simply provide the external IP address of the proxy VM to establish the database connection.
2. Looker Core Public+Private Instance
This configuration leverages Private Service Access (PSA) to enable private connectivity between your on-premises network and the Google Managed VPC. PSA requires an Allocated IP Range from your VPC, allowing resources within the Google Managed VPC to use these private IP addresses.
- Proxy VM: Similar to the public instance setup, a proxy VM is required within your VPC. However, with PSA, this VM doesn’t need an external IP address because private connectivity is already established.
- Stunnel: Stunnel is again essential for setting up secure mTLS connections between your VPC and on-premises databases. The generation of certificate,key and setting up of the configuration for Stunnel client has to be done
- Database Connection: In your Looker Core instance, you provide the internal IP address of the proxy VM to establish the database connection.
Key Considerations
- Egress and Ingress: A public Looker Core instance allows both ingress and egress traffic through its public IP. In contrast, a public+private instance restricts the public IP to ingress traffic only.
- Git Connectivity: The ingress-only nature of the public IP in a public+private setup can pose challenges for connecting to Git repositories, which often require outbound connections.