Creating a service instance with Service-Gateway access

You can create a service instance with service-gateway access. You can activate and deactivate service-gateway access on an existing service instance.

For general information about service-gateway access, including about architecture and use cases, see About Service-Gateway access.

If service-gateway access is activated for the foundation, the external components that are outside the foundation can connect to MySQL service instances. These external components are also referred to as off-platform components.

These components are typically:

Apps running externally or running on other foundations.
Database administrative and management tools, for example, MySQL Workbench.

Note Apps that are deployed in the same foundation as the service instance, can connect to the service instance directly without going through the service-gateway.

Prerequisites

The procedures in this topic assume:

You meet the prerequisites for using VMware SQL with MySQL for Tanzu Application Service. For more information, see Prerequisites in Using VMware SQL with MySQL for Tanzu Application Service.
Your operator has activated service-gateway access. If you do not know if the foundation is activated for service-gateway access, contact your operator.

Create a service instance that allows off-platform access

The following procedure describes how to create a new MySQL service instance that can be accessed by external components.

To create a service instance that enables service-gateway access:

Run:
```
cf create-service p.mysql PLAN SERVICE-INSTANCE-NAME -c '{"enable_external_access": true}'
```
Where:
- PLAN is the name of the VMware SQL with MySQL for TAS plan you want to use.
- SERVICE-INSTANCE-NAME is a name you choose for the service instance. This name appears under service in the output from cf services.
Obtain credentials by creating a service key. Run:
```
cf create-service-key SERVICE-INSTANCE-NAME SERVICE-KEY
```
Where:
- SERVICE-INSTANCE-NAME is the name of the instance you created above.
- SERVICE-KEY is a name you choose for the service key. Choose a name that indicates that the key contains credentials for off-platform access.
Note If you deactivate and then activate service-gateway access again on the foundation, you must create new service keys to obtain a new set of credentials for service-gateway access.

Use the keys in the service key to access the service instance from outside the foundation.

This is an example of a service key:

{
 "hostname": "tcp.turtlegreen.cf-app.com",
 "jdbcUrl": "jdbc:mysql://tcp.turtlegreen.cf-app.com:1035/service_instance_db?user=4801b239ba514be0be393cb33a0f3431\u0026password=g3mfwbz00byl6s5a\u0026sslMode=VERIFY_IDENTITY\u0026useSSL=true\u0026requireSSL=true\u0026enabledTLSProtocols=TLSv1.2\u0026serverSslCert=/etc/ssl/certs/ca-certificates.crt",
 "name": "service_instance_db",
 "password": "g3mfwbz00byl6s5a",
 "port": 1035,
 "tls": {
   "cert": {
     "ca": "-----BEGIN CERTIFICATE-----\nMIIDLTCCAhWgAwIBAgIUTgFaBwCzHAZfdQ5gHtol0IjMUXIwDQYJKoZIhvcNAQEL\nBQAwJjEkMCIGA1UEAxMbZG0tcm9vdC5kZWRpY2F0ZWQtbXlzcWwuY29tMB4XDTIw\nMTEwMjE0MDUyNloXDTIxMTEwMjE0MDUyNlowJjEkMCIGA1UEAxMbZG0tcm9vdC5k\nZWRpY2F0ZWQtbXlzcWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEArLEuvd6HKVEgIs+SeZBMVVT7UafRQp2NWNV1mYS4zthXzP3q7MNPQr3Hr+qp\nANO95Mnq5bCxXAIHFIOUS4nHkSYPSNkaGmkRrUiDLkEH+xGodAKnmshPcfuhW8gO\nc5RTrqgCsNEzpAask7MQoj9njp8oQyNQ2qS7zm9t91XYiLc1RstKc9jnyU3xzJDr\n6+FBqC9uwyJIhV9fGsmUxnB7OMS8kx/uYmOPeNL6ywIAypQBaIIPs7THzqDPe+Qi\nY8o2J5ylFWXasz3tGjtTCetSmrfyBzZFNc1EmqzABkNTXi/qfRs5KtS+UtRqtIsF\nTgL/F0bBlZe15bv7MahMVRqeOwIDAQABo1MwUTAdBgNVHQ4EFgQUNdcf3u9oTtLl\noQ3Y7J5wCCtNKLAwHwYDVR0jBBgwFoAUNdcf3u9oTtLloQ3Y7J5wCCtNKLAwDwYD\nVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFEkmfosL5eLIri6Wi2dQ\nva5olI5xMwaHAp7gaqp9rxPUlugMgSsiNqzS5fL/682HbsqLVQijEg4tbX5VeA/6\ndztZE58DUjXam1YOU6THUt8oeK6NtUJ3TmjTttFWB+x2yvQefJoldGslBh06HzBr\nY5CrlkVsiLek2JKmU9LQ2XQ7CIZEzz20MJp8CrDDsn1U3BjUrUVmlLdgAtIuWgJ7\nufmYar41bWcMjsNvETrOxWtY5uvErmP+Z+0GGdYEUimLgxCc6WfBWdhMbEygOS4G\n6amSkb/rZTHWr0z4swHdrNtP627jhtcdjlh5QFQYYxc8O/jeAehUdS06JjG9qUzP\nFQ==\n-----END CERTIFICATE-----\n"
   }
 },
 "uri": "mysql://4801b239ba514be0be393cb33a0f3431:[email protected]:1035/service_instance_db?reconnect=true",
 "username": "4801b239ba514be0be393cb33a0f3431"
}

The four keys that change to include the TCP domain and TCP port are hostname, jdbcUrl, port, and uri. The keys that you need depend on the type of component that you are accessing the service instance from.

Enable an existing service instance for off-platform access

If you already have a MySQL service instance, you can make it accessible to external components by activating service-gateway access.

To activate service-gateway access on an existing MySQL service instance:

Run:
```
cf update-service SERVICE-INSTANCE-NAME -c '{"enable_external_access": true}'
```
Where SERVICE-INSTANCE-NAME is the name of the service instance that you want to make available for off-platform access. This name appears under service in the output from cf services.
Obtain credentials by creating a service key. Follow steps 2 and 3 in Create a service instance that allows off-platform access.

Deactivate off-platform access on a service instance

If you have a MySQL service instance that no longer needs to be accessed from outside the foundation, deactivate service-gateway access for that service instance.

To deactivate service-gateway access on a MySQL service instance:

Run:
```
cf update-service SERVICE-INSTANCE-NAME -c '{"enable_external_access": false}'
```
Where SERVICE-INSTANCE-NAME is the name of the service instance for which you want to deactivate service-gateway access.