In a recent article, I explained how to test MySQL Database Service (aka MDS) on OCI without having to setup a VPN.
A VPN is the recommended way and of course using some man-in-the-middle exposing the MySQL Classic and X Protocol port is something you should absolutely avoid !
So, in this article we will see another way to test or use MDS without VPN but using a more secure option.
The solution uses a SSH tunnel between your machine (laptop, etc..) and OCI.
How does it work ?
We have a MDS instance (10.0.1.3), and a compute instance (10.0.0.2). The compute instance is in the public subnet and has a public IP assigned to it.
Then we open a SSH tunnel to the compute instance’s public IP that forward all traffic to a certain port on localhost (we will use 3406) to the port 3306 of the MDS instance (and 34060 for port 33060, X protocol).
Of course connections to the MySQL ports need to be allowed between the Public Subnet and the Private Subnet:
When you created the compute instance to use as jump host, you also specified a SSH public key. Usually you connect using SSH to that host with the opc user.
This time we will use the same user, the same key but we will also create a tunnel that will stay open as long as the ssh session is open:
We use the -L option of ssh to create the tunnel. We say to listen on local port 3406 and to redirect that traffic using this ssh session to the server 10.0.1.3 (the MDS instance) on port 3306. And we do the same for X protocol.
Now we can use MySQL Shell an try to connect on both ports using the MDS credentials:
If you only need to use MySQL Workbench, it’s possible to create a similar tunnel directly in Workbench to connect to MDS:
As you can see, we use the same information.
Let’s test the connection:
Wooohooo, it works \o/
This is another way to test the new MySQL Database Service without a VPN but in a safer way.
This is also a nice way if you prefer to access your MySQL Database using a GUI interface like MySQL Workbench.