We Keep Coding

what is the port 33060 for mysql server ports in addition to the port 3306

background purpose: I want to restrict inbound connection to MYSQL server only for specific host by setting inbound rules of windows firewall.
MYSQL server port is open on 3306.
However, when I open firewall setting, I can see two ports are opened on 3306 and 33060 as follows:
what is that? Should I restrict 33060 as well?

The port for X Protocol (mysqlx_port), supported by clients such as MySQL Shell, MySQL Connectors and MySQL Router, is calculated by multiplying the port used for classic MySQL protocol by 10. For example if the classic MySQL protocol port is the default value of 3306 then the X Protocol port is 33060.
See MySQL Port Reference Tables for more information.
The MySQL X service, is listening on all interfaces, by default over localhost, on TCP port 33060 and clients can connect to it through x protocol. So you need to restrict it for specific host to ban it to connect through x protocol. I suggest use it just for localhost.
You can see open ports by mysql through the following command:
sudo lsof -i -P -n | grep 3306

Port redirection

I have the following scenario:
I changed the port of MySQL 54235, on linux server Centos, I accept connections from outside only on that port.
I have an old and discontinued third-party software, where there is no option to change the default port 3306. However, this software should access 2 fixed external ips.
How do I configure on linux to accept connection on port 3306 only from these 2 fixed ips, and internally, redirect the connection to port 54235?

the most easy is to use "socat"
socat TCP-LISTEN:3306,fork TCP:127.0.0.1:54235

Can't connect to MySQL server on Amazon RDS

I've just launched a MariaDB instance on RDS. I used all the default options, on the free tier. It has finished creating. When I try to access it with Sequel Pro or with the command line, I get an error:
Can't connect to MySQL server on {endpoint}
My security group is the default group. Its Inbound and Outbound Rules have:
Type: ALL Traffic
Protocol: ALL
Port Range: ALL
What am I missing here?

The answer for me was to add a new Inbound Rule to my existing Security Group:
Type: MySQL/Aurora (3306)
Protocol: TCP (6)
Port Range: 3306
Source: 0.0.0.0/0
[EDIT Oct 2020]: See Leon's comment below. Instead of 0.0.0.0/0 use your specific IP address.

Does the instance have an internet ip? If not, you know, you can
only connect it from inner net.
The port is 3306?

Splitting read/write for mysql cluster with HAproxy

I have a mysql cluster on ubuntu 16.04 and want to split read/write with haproxy.
All connections will be done through port 80.
If someone connects to the server with X.X.X.X/write I want him to be redirected to 1 specific server.
So far this is my config which works for the default (anything but /write) but when trying to connect with /write I get "unknown MySql server host".
My config is as follows:
global
log 127.0.0.1 local0 notice
maxconn 2000
user haproxy
group haproxy
defaults
mode tcp
log global
retries 2
timeout connect 3000
timeout server 5000
timeout client 5000
backend read
balance roundrobin
server mysql1 192.168.0.4:3306
server mysql2 192.168.0.5:3306
server mysql3 192.168.0.6:3306
backend write
server mysql1 192.168.0.4:3306
frontend local
bind *:80
acl write url_beg /write
use_backend write if write
default_backend read
Thanks for the help!

There is no "URL" in a MySQL connection, so url_beg can't possibly match anything. Connecting to a MySQL server (or proxy) is done by IP address or hostname only -- not hostname and path, because there is no path. Detecting the hostname the client used is impossible, because it is not passed when the connection is established.
To accomplish what you want, you need two different hostnames, pointing to two different IP addresses on the HAProxy server, and each of these two IPs in its own individual frontend with bind statement.
frontend read
mode tcp
bind 203.0.113.1:3306
default_backend read
frontend write
mode tcp
bind 203.0.113.2:3306
default_backend write

Accessing rds MySql db with SSL 443 instead of 3306

I am trying to access my rds mySql db via 443 only instead of 3306.
After enabling the ssl option on workbench and entering the path to the mysql-ssl-ca-cert.pem I tried to disable tcp 3306 on my security group to insure it connects using 443 but it doesn't.
I can connect using the mysql command line below but yet again it fails once i disable tcp 443 on the security group
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl_ca=rds-ssl-ca-cert.pem
Amazon documentation states:
The SSL support in Amazon RDS is strictly for encrypting the connection between your client and your DB instance; it should not be relied on for authenticating the server.
Does this mean that I can only ever authenticate to mysql db over 3306 and not 443, but the data will be encrypted in transit?
My issue is that my customer won't open 3306 outbound on their firewall but 443 is of course opened. Any help appreciated.

You are confusing SSL and HTTPS. Port 443 is the default port for HTTPS connections. MySQL uses 3306 instead (and can use SSL over this port or any other to encrypt the connection). So, setting up SSL encryption for a MySQL connection doesn't affect the used port.
In order to use a different than the standard port you have to reconfigure the MySQL server, which you probably cannot do with an RDS instance.
It is possible to use tunneling to avoid the default port. In this scenario you have to open an SSH tunnel (MySQL Workbench can do that for you or you use an external program like putty on Windows or ssh on *nix like OSes). With that tunnel in place (which uses port 22 by default but can be configured for any other port if that matters for you) you can then forward access from a local port (here 3306, but can be any) to a remote port (can be any as well). This requires an SSH server on the remote end however.