Connect to DigitalOcean Managed Databases from Anywhere, Securely

Overview

DigitalOcean provides a convenient Managed Database service for those who do not want to worry about configuring and maintaining their own database clusters. It offers both SQL and NoSQL options, and can be deployed in minutes.

Managed databases are deployed into specific regions. They are accessible via both a public endpoint and the VPC they are deployed in, but what if you want to access the database over a private endpoint from other regions, or even from another cloud provider.

For instance, I have an application in Region A, but it needs data from a managed database running in Region B. What can I do?

This tutorial shows how to securely access a managed database from outside of the region in which it is deployed.

Prerequisites

1. If you have not already, create a managed database. In our example, we use Postgres.
2. Deploy Netmaker

Deploy Netmaker

If you do not already have a Netmaker instance, deploy it in the same region as your managed database.

1. A DigitalOcean account. Sign up for free if you don’t already have one.

2. Create a Netmaker account by logging into https://dashboard.license.netmaker.io. You will need this for a free Netmaker license.

3. [Recommended] Prepare a dedicated subdomain for Netmaker, such as “nm.yourcompany.com.” We will use a wildcard from this subdomain for Netmaker.

4. Visit https://marketplace.digitalocean.com/apps/netmaker

5. Create a Netmaker Droplet

   Recommended Settings: if desired, Netmaker can run with 1GB RAM, but we recommend 2GB or larger for production

6. Setup DNS: point the wildcard domain from the prerequisites (e.g. *.nm.yourdomain.com) to the IP of the 1-Click Droplet.

7. Log into your Netmaker Droplet

8. Upon login, you will be prompted with a series of steps to install Netmaker. You can use either Community or Enterprise, but we recommend Enterprise, since it has extra features and a generous free tier.

9. Once everything looks right and you’ve hit confirm, the install script will run. This will take about 5 minutes.

10. Log into the Netmaker dashboard and create a username and password for the Netmaker server.

Create Egress Node

If Netmaker is deployed into the same region as your managed database, skip this step.

Otherwise, you need to deploy a Node into the same Region as the DB, which will act as the Gateway to access the DB. We will refer to this machine as the “egress node” throughout the tutorial.

1. Deploy a small Droplet in the Database region, or use an existing droplet.
2. Use the steps to install Netclient. For instance, on Debian distros:

curl -sL 'https://apt.netmaker.org/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/netclient.asc
curl -sL 'https://apt.netmaker.org/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/netclient.list
sudo apt update
sudo apt -y install netclient

Next, join the network. In Netmaker, go to the “Access Keys” section, click on the access key, and copy the “Join” command. It should look like this:

netclient join -t anvkr48twsigahkguashleawjieg

Set Up the Egress Gateway

An “egress gateway” is Netmaker terminology for a “node” (machine in the network) which routes traffic to a particular set of local addresses, for instance, a VPC, or a single machine inside a VPC. In this case, the egress gateway will route traffic to the managed database.

1. Make the Egress Node a trusted source for the managed server (managed DB server, settings tab, trusted sources)

2. Get the private subdomain for the database by looking at the connection details on the DO control panel

3. Get the private IP of the database using nslookup from the Egress Node: nslookup <subdomain>

4. Determine the interface used for the private address: ip route get < private address>

5. Go to your Nodes In the Netmaker dashboard

6. Click “Create Egress Gateway” on the Egress Node

   1. For interface, enter the interface from above
   2. For Range, enter the private IP + /32 (e.g. 172.17.0.5/32)

   (side note) Rather than use the database address, you can use the entire region subnet, which will make this a Gateway to the entire region. This is useful for remote access to Regions generally.

7. Confirm that the Egress Node can connect to database normally:

   1. sudo apt install postgresql-client-common
   2. sudo apt install postgresql-client
   3. psql “< connection string from VPC tab connection string dropdown on DigitalOcean managed DB server>”

[Optional] Private DNS

If you want the Database to be accessible over Private DNS, rather than an IP address, go to the DNS tab of your Netmaker server, and add an entry, pointing it to the private IP address of the database. For instance: db.netmaker.

Access the DB from a Droplet In a Different VPC

1. In a different VPC, SSH to the target droplet
2. Install the Netclient using the same instructions from Create Egress Node.
3. Confirm that the new droplet can now connect to the DB
   1. sudo apt install postgresql-client-common
   2. sudo apt install postgresql-client
   3. Use a modified connection string, replacing the DB’s private address with it’s IP address or DNS name, for instance: psql postgresql://doadmin:<password>@db.netmaker:25060/defaultdb

Access the DB from a Machine Outside of DigitalOcean

To access the database from anywhere in the world, follow the same steps as above; just SSH to a machine, install the Netclient, and join the network!