~ 3 min read

How to restrict access to public Cloud SQL database instances

Publicly exposed database instances can attract a lot of brute force attacks and may lead to a compromise of the database as well. If a database requires a public IP address, then one must make sure to restrict the public access to only trusted IP addresses.

In general, the database instances should not have public IP addresses. They should only be accessible to other application components using private IP addresses. In case a database instance must be assigned a public IP address to communicate with remote services or application components, one must ensure that a proper allowlist is applied to the database to accept connections only from trusted /known IP addresses.

A publicly exposed database instance can fall prey to password brute force attacks. Additionally, in the event of unauthorised access to configuration, valid credentials to the database may become accessible to the attackers. This would allow an attacker to connect to the database from an internet located source and completely compromise all data within the database.

In this article we will see how to restrict access to a public Cloud SQL database instance.

‍

Restricting access to public Cloud SQL database instance

‍

This section provides a step by step walkthrough of how we can restrict access to a publicly exposed Cloud SQL database instance.

‍

Following are the steps to restrict access via the Google Cloud console:

‍

  1. Login to Google Cloud console and navigate to the Cloud SQL Instances page by visiting https://console.cloud.google.com/sql/instances
  2. Click the instance name for which you want to restrict public access and then click on Edit to open its Instance info page

‍

Click the instance name for which you want to restrict public access and then click on Edit to open its Instance info page‍

  1. Expand the Connections section

Expand the Connections section‍

  1. Check if any of the authorised networks allow 0.0.0.0/0. If yes, click on delete icon to remove it.

‍

Check if any of the authorised networks allow 0.0.0.0/0. If yes, click on delete icon to remove it.‍

  1. Add the trusted/known IP address(s) to which you want to allow access over the internet. Then click Save to update the instance.

‍

Restrict access via the gcloud command line:

‍

To update the authorised network list via gcloud, perform the following steps:

  1. Run the following command to check if the authorised networks allow public access to everyone on the internet

gcloud sql instances list β€”format=json

‍

  1. Update the authorised networks list by running the following command

gcloud sql instances patch INSTANCE_NAME / β€”authorized-networks=IP_ADDR1,IP_ADDR2…

‍

***

‍

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

;