I have an application connecting to Google cloud SQL from a GCE instance. Is the traffic encrypted between MySQL instance and my GCE instance?
Thanks
Customer data is encrypted when in Google's internal network. External connections can be encrypted using SSL. You can find more info at this link
Related
I connect to a Google Cloud MySQL DB from my laptop, however my IP address not only changes at home, but also when I travel. I have to specify the allowed public ip address in Google Cloud, but every time I reconnect I have to log in & update google cloud with my new IP address.
What is the best solution to not have to do that?
To solve this issue you should use Cloud SQL Auth proxy:
The Cloud SQL Auth proxy provides secure access to your instances without the need for Authorized networks or for configuring SSL.
You can find more details how it works at the documentation:
The Cloud SQL Auth proxy works by having a local client running in the
local environment. Your application communicates with the Cloud SQL
Auth proxy with the standard database protocol used by your database.
The Cloud SQL Auth proxy uses a secure tunnel to communicate with its
companion process running on the server.
While the Cloud SQL Auth proxy can listen on any port, it only creates
outgoing connections to your Cloud SQL instance on port 3307. If your
client machine has an outbound firewall policy, make sure it allows
outgoing connections to port 3307 on your Cloud SQL instance's IP.
I have a web application running on Google Compute Engine. I am currently running MySQL on a regular instance, and I want to migrate to Cloud SQL for scalability and reliability.
The GCE docs describe how to connect by Internet IP address or the Cloud SQL Proxy to run the MySQL client to configure a database. They do not describe how to connect to Cloud SQL for a "production" environment that needs to reliably handle a large volume of queries. The Cloud SQL Proxy seems like an elegant solution, because I prefer not to assign external IP addresses to the web servers (they are behind a load balancer), or send database traffic over the Internet.
Which method(s) are considered "production-ready" for connecting a web server to a Cloud SQL instance?
Is Cloud SQL Proxy suitable for a production application?
Is traffic encrypted between the Cloud SQL Proxy and Cloud SQL?
1) Either direct connection by IP or via Cloud SQL Proxy.
2) Yes, the Cloud SQL Proxy is production ready.
3) Yes, the connection between the Cloud SQL Proxy and the Cloud SQL instance happens over SSL.
The new Google Cloud SQL Engine creates its own VM instance to run a MySQL database, with an exposed public IP address. I was hoping that it would be possible to VPN into the Google Compute Cloud, then connect to the MySQL VM instance internally. Is this possible? The computer I am trying to connect from is a physical machine located outside of the cloud.
If it's not possible, what if I connect via VPN and use the public IP address to connect to the MySQL instance? Would it resolve to the internal network quickly and mimic the behavior of a local connection (no delay)? Or would it have the same performance as connected to the external IP address with no VPN in place?
Sorry, there's currently no VPN/private IP support for Cloud SQL. At the moment, you can use instance settings to control which IPs are allowed to connect. By default, the mysql server is locked down from all external connectivity.
Connecting through a VPN should not improve latency and may in fact hurt it depending on how things are setup. I would recommend doing your own test if that's something you wish to verify.
You can also use the Cloud SQL Proxy to connect externally which uses SSL certs to establish an SSL tunnel to MySQL.
We have mysql databases which we want to host on AWS RDS and want to use in Azure VM and web app. Both of them located in Singapore region.
Is this possible? If yes, How? What are pros and cons? And how to do this?
You have two options, build a Amazon VPC /Azure Network VPN tunnel by your own, with something like a cisco instance or linux vpn packages, or make your mysql amazon rds public accessible and set up ssl encrypt connection to the db for more information see this doc
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
I've just started working with AWS EC2 instances, and I want to migrate the MySQL DB on the EC2 to a RDS instance.
My question is about security, when I connect to my EC2 instance I use a security key (.pem) file to encrypt my connection from laptop to EC2. But when the EC2 connects to the RDS i believe it will be using port 3306 on the RDS and be unencrypted? Is this a security risk for my web application?
If this is a security risk what is the best practice for securely connecting the EC2 to the RDS?
Thanks!
https://aws.amazon.com/rds/faqs/
Can I encrypt connections between my application and my DB Instance using SSL?
Yes, however, this option is currently only supported for the MySQL, SQL Server, and PostgreSQL engines.
Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer. If you require your data to be encrypted while “at rest” in the database, your application must manage the encryption and decryption of data. Also note that SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
You can setup rules in your security group to only allow connections to your rds instance from a pre-dfined list of ec2 ip's if you want (or any ips for that matter). AWS will reject any traffic trying to get to that RDS that is not in the list.