In general, the database instances should not have public IP addresses. They should only be accessible to other application components using private IP addresses. In case a database instance must be assigned a public IP address to communicate with remote services or application components, one must ensure that a proper allowlist is applied to the database to accept connections only from trusted /known IP addresses.
A publicly exposed database instance can fall prey to password brute force attacks. Additionally, in the event of unauthorised access to configuration, valid credentials to the database may become accessible to the attackers. This would allow an attacker to connect to the database from an internet located source and completely compromise all data within the database.
In this article we will see how to restrict access to a public Cloud SQL database instance.
Restricting access to public Cloud SQL database instance
This section provides a step by step walkthrough of how we can restrict access to a publicly exposed Cloud SQL database instance.
Following are the steps to restrict access via the Google Cloud console
Login to Google Cloud console and navigate to the Cloud SQL Instances page by visiting https://console.cloud.google.com/sql/instances
Click the instance name for which you want to restrict public access and then click on Edit to open its Instance info page
Expand the Connections section
Check if any of the authorised networks allow 0.0.0.0/0. If yes, click on delete icon to remove it.
Add the trusted/known IP address(s) to which you want to allow access over the internet. Then click Save to update the instance.
Restrict access via the gcloud command line
To update the authorised network list via gcloud, perform the following steps:
Run the following command to check if the authorised networks allow public access to everyone on the internet
gcloud sql instances list --format=json
Update the authorised networks list by running the following command
gcloud sql instances patch INSTANCE_NAME / --authorized-networks=IP_ADDR1,IP_ADDR2...