Enforce SSL/TLS for all incoming connections on CloudSQL Database Instances

Priyam Singh

~ 2 min read

Unencrypted database connections allow attackers on the network to perform man-in-the-middle attacks that can be used to steal information and even modify data. In this article we will take a quick look at how to enable encryption for incoming connections on CloudSQL databases.

Introduction

Like any network aware service, SQL database connections also need to be protected on the wire. If the database connection is unencrypted then it may be possible to perform a man in the middle attack that may allow an attacker to retrieve and tamper SQL queries and data. The risk is highest for databases that allow Internet located IP addresses to connect for access. A successful attack can lead to data compromise.

Enabling encryption for incoming connections on a CloudSQL database

Following are the steps using Google Cloud console:

  1. Login to the Google Cloud console and navigate to Cloud SQL Instances (https://console.cloud.google.com/sql/instances).

  2. Click on the instance name for which encrypted connections are to be enabled

  3. In the left-side panel, select Connections then click on the Security tab

    GCP SQL Connections

  4. In the SSL connections section, click Allow only SSL connections

    GCP allow SQL Connections

  5. Under Manage server certificates click Create new certificate

    GCP SQL server certificate

  6. Under Manage client certificates click Create client certificate

    GCP SQL client certificate

Following are the steps using gcloud on command line

  1. To enforce SSL encryption for an instance run the command:
gcloud sql instances patch <INSTANCE_NAME> --require-ssl

Note:

RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.โ€

;