Enforce SSL/TLS for all incoming connections on CloudSQL Database Instances

Like any network aware service, SQL database connections also need to be protected on the wire. If the database connection is unencrypted then it may be possible to perform a man in the middle attack that may allow an attacker to retrieve and tamper SQL queries and data. The risk is highest for databases that allow Internet located IP addresses to connect for access. A successful attack can lead to data compromise.

‍

Enabling encryption for incoming connections on a CloudSQL database

‍

Following are the steps using Google Cloud console:

‍

Login to the Google Cloud console and navigate to Cloud SQL Instances (https://console.cloud.google.com/sql/instances).
Click on the instance name for which encrypted connections are to be enabled
In the left-side panel, select Connections then click on the Security tab

‍

3. In the left-side panel, select Connections then click on the Security tab ‍

In the SSL connections section, click Allow only SSL connections

‍

4. In the SSL connections section, click Allow only SSL connections ‍

Under Configure server certificates click Create new certificate

‍

5. Under Configure server certificates click Create new certificate ‍

Click on Save

‍

Following are the steps using gcloud on command line:

‍

To enforce SSL encryption for an instance run the command:

gcloud sql instances patch <INSTANCE_NAME> —require-ssl

‍

Note:

RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST\_GEN) to get this configuration in effect.”

‍

***

‍

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.