GAP Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Let's get started!
  2. /
  3. Platform features
  4. /
  5. Connecting to DWH using an egress gateway
Edit page

Connecting to DWH using an egress gateway

Introduction

Connecting to the DWH Azure DB from GAP is not straightforward, due to the firewall rules enabled on the host of the DB. These rules only allow connections from a whitelisted range of IP addresses. GAP has a pool of nodes that have whitelisted static IP addresses, thus enabling connections to the DB.

In this guide, we are going to:

  • make sure request encryption is enabled in the source application
  • add a pod-level label to the source application’s gap.yaml
  • create a ticket for the GAP team to export the routing rules to the application’s namespace as well

Step 1

The TCP connection from your source application needs to be encrypted. The connection will not be terminated within the service mesh, there will be no second mTLS encryption wrapping the original request.

Make sure to enable the encrypt option in your connection string.

Example:

Driver={ODBC Driver 18 for SQL Server};Server=tcp:emarsyscdi.database.windows.net,1433;Database=DWH;UID={USERNAME};PWD={PASSWORD};Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;

Step 2

The routing rules that direct traffic from your source application through the egress gateway to the DWH will look for a specific label (egress-gateway-dwh) on your workload’s pods. If the label is present, the routing rules will affect your application.

In gap.yaml

cronJobs:
  <your-cronjob-name>:
    podLabels:
      egress-gateway-dwh: enabled

Step 3

The routing rules will also need to be exported to your application’s namespace. This is managed by the GAP team. Please raise a ticket in the GAP Project.

Example:

Dear GAP Team!

Please export the static egress gateway to DWH routing rules (ServiceEntry and VirtualService) to the following namespace:

<your-team-namespace>

Migration guide for Stunnel users

After the steps above have been completed, you can remove the custom Stunnel resources from your application by removing the patch files from your application’s repository.

Please take note that the connection string will have to be modified, by enabling the encryption option (see Step 1). Also the PORT number in your connection string or application secrets will most likely change, as instead of the Stunnel’s TCP port, you’ll need to specify the Gateway’s TCP port, 1433.