I have been trying to setup a VPN for my database servers on Google Cloud for a while but I have been running into some issues. My setup is as follows:
2 Webservers
2 Database Servers
1 Load balancer
The 2 webservers have a load balancer with a static IP, that routes traffic to one of the webservers. Both of the webservers are connected to the database servers. I am trying to create a VPN so both of the database servers are behind a private subnet and hidden from the general public. The only port that needs to open for the database servers are 8091 and 8092.
What is the proper way to create this, so the database servers are completely hidden from the general public?
VPN is solution for connecting servers from 2 different networks so one can access other using their private IP.
If your server and databases sit both in GCE you doesn't need VPN, the servers can connect with their private IP without any other settings.
If your database servers sit in other network you need to set VPN between the two networks.
Related
I have an application running on EC2 instances that store data in an RDS instance. All of these instances are in an AWS VPC with security groups configured to allow them to connect to each other.
For reporting purposes, I would like to connect to the RDS instance from my laptop (e.g. using SQLAlchemy) to run simple queries. Every time I try to connect using the connection string that the EC2 apps use, the connection times out.
For Google, one can use the Cloud SQL proxy for this, but I can't find an analogous product for AWS. Instead, it seems like what I am supposed to do is attach an internet gateway to the VPC and configure the security groups to allow connection from my machine. However, the documents are unclear on how to do this other than allowing all inbound connections or allowing a static IP. Unfortunately my laptop doesn't have a static IP, and I'm uncomfortable allowing all inbound connections as it seems insecure and an invitation to attacks. I also have not been able to find a way to configure a security group to allow connections based on IAM credentials for example using the AWS CLI. Since I will be routinely generating reports, a solution that involves updating a security group (i.e. allowing my current IP) every time I want to connect seems suboptimal.
I have tried following the following documents, but so far have had no success in finding a solution that does not allow all connections:
Allow users to connect to RDS using IAM*
Connecting to RDS instance from command line
Connecting to RDS on VPC from internet
*My RDS instance configuration does not allow me to enable IAM authentication, I'm not sure why
IAM Database Authentication is not supported for the configuration in the DB Instance db.
Modify your Db Instance to another instance class and try again.
(Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterCombination;
Request ID: a6194fb8-2ab9-4a6a-a2be-63835e6e0184)
Is there something I'm not understanding or overlooking? Is allowing connections from all IPs not a big deal since the DB instance is still secured by DB user credentials?
Select this connection as per screenshot. Then fill up all details use your nat instance .pem file to connect. Its like you are connecting to VPC through Nat gateway or Internet gateway bypassing this.
Another option to install VPN on VPC and connect.
We have an EC2 instance which is a website, which uses a mysql database which is on another EC2 instance in the same region. In mysql, we have provided restricted access based on server elastic IP to prevent intrusion.
Now, we have decided to install ELB on this server. The ELB part actually works fine, but when auto-scaling spins up a new instance, it has a random public IP address, hence cannot be added to mysql's exceptions.
I tried adding ELB dns(A Name) to mysql for providing access, but it is still not working. The ELB works, Auto scaling spins up a new instance, but the website shows error due to not-connected to database.
How can I correct this?
Rather than restricting access via IP addresses, use Security Groups:
Create a security group (eg App-SG) and associate it with any instance that is permitted to communicate with the MySQL server
Create a security group for the MySQL instance (eg call it SQL-SG) and permit Inbound connections from App-SG
This way, only machines with the App-SG will be allowed to communicate with the MySQL instance. When Auto Scaling launches new instances that are associated with the App-SG, they will also be able to communicate with MySQL.
You should avoid hard-coded IP addresses as much as possible (as in... never use them!).
Instead of restriciting your database access by IP, consider restricting by subnet.
You will have a public subent (webserver and ELB are there) and a private one (database server is there)
Computers in a public subnet is accessible to everyone in internet, computers in a private subnet is available to only computers in a public subnet.
More information about such configuration is here:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
In order to manage your database server, you can setup a bastion host:
http://blogs.aws.amazon.com/security/post/Tx2ZWDW1QA6D62Y/Controlling-Network-Access-to-EC2-Instances-Using-a-Bastion-Server
The new Google Cloud SQL Engine creates its own VM instance to run a MySQL database, with an exposed public IP address. I was hoping that it would be possible to VPN into the Google Compute Cloud, then connect to the MySQL VM instance internally. Is this possible? The computer I am trying to connect from is a physical machine located outside of the cloud.
If it's not possible, what if I connect via VPN and use the public IP address to connect to the MySQL instance? Would it resolve to the internal network quickly and mimic the behavior of a local connection (no delay)? Or would it have the same performance as connected to the external IP address with no VPN in place?
Sorry, there's currently no VPN/private IP support for Cloud SQL. At the moment, you can use instance settings to control which IPs are allowed to connect. By default, the mysql server is locked down from all external connectivity.
Connecting through a VPN should not improve latency and may in fact hurt it depending on how things are setup. I would recommend doing your own test if that's something you wish to verify.
You can also use the Cloud SQL Proxy to connect externally which uses SSL certs to establish an SSL tunnel to MySQL.
By default, when you open the bind-address to listen to the outside, the default communication between the MySQL client & server is not secured, that means anyone that can do a MitM attack can view every transactions made.
There is options out there to protect against this type of attack (SSH Tunneling or enabling SSL in MySQL) but from what I understand, Amazon RDS doesn't implement, by default, any SSL security.
So I'm wondering, when you create an RDS instance, is it like installing MySQL on a server and opening the 3306 port or am I missing something?
A few points. Firstly AWS RDS for mysql does support ssl. This is discussed here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
Second, the usual way to arrange servers in a AWS VPC is to have "private" and "public" subnets. The private subnets route to other private hosts and perhaps to other hosts in the same VPC. But they have no Elastic IPs and no direct access to the Internet Gateway. It is usual to put databases on private subnets so that their ports are not exposed
There is a nice diagram on this page showing this concept
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
Lastly, AWS RDS exists within the philosphy of the shared responsiblity model
This tries to make it clear what security AWS services provide and what is supposed to be the responsibility of the customer
If you're creating an instance you've to also allow port 3306 to be open at your endpoints. This means you've to also configure your security settings as to which IP you've to allow for this connection. Regarding SSL security or SSH, as a good practice you should rely on ssh keys with Pass phrase.
We have a local mysql server(not on public domain) and want that server replicated to a google cloud sql instance that we have. My question is that:
1. is this possible?
2. our local server is accessible on the local network only. no public IP, etc. Although the server has internet. Im not sure how replication works, is this a one way traffic from master to slave?
if this is the case, then this might be possible even if the local mysql server is not accessible on the public domain since it only need to connect to the slave up on the cloud.
hope this makes sense
MySQL replication requires a connection from the slave to the master. The easiest way to make this possible is to set up a DMZ or port forwarding so your SQL instance is accessible over the internet.
Google Cloud SQL does not support replication from off-site to Cloud SQL, but you can do it with MySQL on GCE.
If you do use MySQL on GCE you have the added option of using Cloud VPN to allow a connection from your GCE instance to your local MySQL instance without requiring public exposure of either.