This topic describes how to use the fdw extension of PostgreSQL to allow an ApsaraDB RDS for PostgreSQL instance to access an external database that has public IP addresses.
Background information
ApsaraDB RDS for PostgreSQL supports the fdw extension to enable an RDS instance to access an external database that runs a database engine such as MySQL, SQL Server, PostgreSQL, or Redis. An RDS instance is created in a virtual private cloud (VPC). To access database services that are accessible over the Internet, you must configure an Internet NAT gateway for your RDS instance and associate an elastic IP address (EIP) with the Internet NAT gateway.
This topic describes how to configure an Internet NAT gateway and associate an EIP with the Internet NAT gateway to enable your RDS instance to access a database over the Internet. In addition, you can configure SNAT rules for the NAT gateway to allow only outbound connections from the RDS instance to the Internet. Your RDS instance does not provide services over the Internet or cannot be accessed over the Internet. This way, you can ensure the network security of your RDS instance.
For more information about Internet NAT gateways and SNAT, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Prerequisites
An external database that has public IP addresses is available. The database can run MySQL, SQL Server, PostgreSQL, or Redis.
An RDS instance is created. For more information, see Create an ApsaraDB RDS for PostgreSQL instance.
ImportantThe following extensions are required to enable your RDS instance to access the external database. Make sure that your RDS instance supports the extensions. For more information about the extensions that are supported by each PostgreSQL version, see Supported extensions.
MySQL: mysql_fdw
SQL Server: tds_fdw
PostgreSQL: postgres_fdw
Redis: redis_fdw
Accounts are created for the external database and your RDS instance.
For more information about how to create an account for the external database, see the official documentation of each database engine.
For more information about how to create an account for your RDS instance, see Create an account.
Data is created for the external database.
Procedure
Configure an Internet NAT gateway
Create a NAT gateway.
Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click Create Internet NAT Gateway.
Optional. In the Create Service-Linked Role section of the Internet NAT Gateway page, click Create Service-Linked Role to create a service-linked role. If this is the first time you create an Internet NAT gateway, this step is required. After the service-linked role is created, you can create Internet NAT gateways.
On the buy page, configure the following parameters and click Buy Now.
NoteThe following table describes only key parameters. For more information about all parameters, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Parameter
Description
Region
Select the region in which you want to create the Internet NAT gateway. The region must be the same as the region of your RDS instance.
VPC
Select the VPC to which the Internet NAT gateway belongs. The VPC must be the same as the VPC of your RDS instance. You can go to the Database Connection page of the ApsaraDB RDS console to view the VPC of your RDS instance.
Associate vSwitch
Select the vSwitch to which the Internet NAT gateway belongs. The vSwitch must be the same as the vSwitch of your RDS instance. You can go to the Database Connection page of the ApsaraDB RDS console to view the vSwitch of your RDS instance.
Access Mode
In this example, Configure Later is selected.
On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
You can find the Internet NAT gateway on the Internet NAT Gateway page.
Associate an EIP with the Internet NAT gateway.
On the Internet NAT Gateway page, find the new Internet NAT gateway and click its ID to go to the Basic Information tab.
On the Associated Elastic IP Address tab, click Bind Elastic IP Address.
In the Associate EIP dialog box, select Purchase and Associate EIP.
Click OK.
After you associate an EIP with the Internet NAT gateway, the EIP is displayed on the Associated Elastic IP Address tab.
Create SNAT Entry
On the Internet NAT Gateway page, find the new Internet NAT gateway and click its ID to go to the Basic Information tab.
On the SNAT Management tab, click Create SNAT Entry.
On the Create SNAT Entry page, configure the following parameters and click OK.
Parameter
Description
SNAT Entry
Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected. This option specifies that only RDS instances that are attached to a specified vSwitch can access the Internet by using a specified public IP address.
Select vSwitch
Select the vSwitch of your RDS instance from the drop-down list.
Select EIP
Select one or more EIPs to access the Internet. In this example, a single EIP is selected from the drop-down list.
After the SNAT entry is created, you can view the SNAT entry in the SNAT Entry List section.
Configure the external database
You must configure a whitelist for the external database to allow access from the EIP that is associated with the Internet NAT gateway.
If the external database runs MySQL, configure the external database based on Privileges Provided by MySQL.
If the external database runs PostgreSQL, configure the external database based on The pg_hba.conf File.
If the external database runs SQL Server, configure the external database based on Configure the Windows Firewall to Allow SQL Server Access.
If the external database runs Redis, use firewalls to specify the ports that the EIP can access. For example, you can install iptables in CentOS and run the following command:
iptables -A INPUT -s <EIP that is assoicated with the Internet NAT gateway> -p tcp --dport <Redis port number> -j ACCEPT
Configure your RDS instance
Connect to the ApsaraDB RDS for PostgreSQL instance. For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance.
Create an extension.
NoteIn this example, a mysql_fdw extension is created for the external database that runs MySQL.
CREATE EXTENSION mysql_fdw;Create a server definition for the external database.
CREATE SERVER <Server name> FOREIGN DATA WRAPPER mysql_fdw OPTIONS ( host '<Public IP address of the external database>', port '<Port number of the external database>' );In this example, the external database runs MySQL, and you must execute the following statement:
CREATE SERVER mysql_server80 FOREIGN DATA WRAPPER mysql_fdw OPTIONS ( host 'XX.XX.XX.XX', port '3306' );Create a user mapping to map the MySQL server definition to a user of your RDS instance. Then, use the user to access the external MySQL database.
CREATE USER MAPPING FOR <Username of your RDS instance> SERVER <Name of the created server> OPTIONS ( username '<Username of the external database>', password '<Password of the external database>' );Sample statement:
CREATE USER MAPPING FOR pg_client SERVER mysql_server80 OPTIONS ( username 'testuser', password 'U123456!' );Create a foreign table.
CREATE FOREIGN TABLE <Name of the foreign table> ( id int, name varchar(10) ) SERVER <Name of the created server> OPTIONS ( dbname '<Name of the external database>', table_name '<Name of the table in the external database>' );Sample statement:
CREATE FOREIGN TABLE mysql_fdw_test ( id int, name varchar(10) ) SERVER mysql_server80 OPTIONS ( dbname 'testdb', table_name 'test' );Test the connectivity.
After you complete the preceding configuration, your RDS instance can access the table in the external database.
In this example, a foreign table named
mysql_fdw_testis created. You can directly query the foreign table from your RDS instance to obtain the data in the external database.SELECT * FROM mysql_fdw_test;