CloudSQLProxy: the wiser choice than Bastion for tunnelling to CloudSQL

Photo by Mitchell Luo on Unsplash

Let’s start with a basic real-world scenario

Developers (and “others”) on the internet

How would your developers connect to your DB instance for data-entry / troubleshooting / monitoring / maintenance / etc?

Devs connecting to DB via DB Public IP
Devs authorized to connect to DB via a list of Authorized Networks
  • Your developers’ IP addresses may change if they are connecting from different remote places at different times.
  • Their IP addresses may change even from the same place, if (let’s say) their home WIFI routers are connecting via DHCP to the internet.
  • People are always joining and leaving your company. Therefore, you need to find a way to constantly add/remove IP entries from this list.

Enter Bastion Hosts

Devs connect to bastion. Then only bastion is authorized to connect to DB.
Is the bastion itself secure enough?
Photo by Christian Erfurt on Unsplash

Enter CloudSQLProxy

  • It establishes a secure end-to-end connection (read tunnel) between your computer and the CloudSQL DB instance running in GCP data centers.
  • It exposes a specified port number in your localhost that your local applications & MySQL clients can connect to.
  • It is developed and maintained by the creators of CloudSQL themselves - so there is that sense of trust in its security and design.
  • Nobody needs to know (or share) any public (or private) IP (or host) addresses for you to be able to connect to the DB
  • It only uses IAM roles to grant access to users & applications - no need to maintain any AllowList of IP addresses using Authorized Networks list etc.
  • Works reliably every time whether from work, home, school or park (with or without VPN).
Devs connect to DB via CloudSQLProxy software on localhost

You do, however, need to ensure a few important things:

  • Your devs need to know a specific “connection string” (contains no sensitive contents) when starting the CloudSQLProxy software in their localhosts.
  • Your devs may need to be granted the Cloud SQL Client IAM role (roles/cloudsql.client) via GCP IAM- not recommended.
  • Your devs may need to belong to a Google group that has been granted the Cloud SQL Client IAM role - recommended.
  • Your devs may need a key file to a ServiceAccount that has been granted the Cloud SQL Client IAM role - not recommended.

Not just for humans

Devs and Apps - all connect to DB via CloudSQLProxy running in their localhosts
  • Your server needs to know a specific “connection string” (no sensitive contents) when starting the CloudSQLProxy software in its localhost.
  • Your server may need a key file to a ServiceAccount that has been granted the Cloud SQL Client IAM role - only needed for apps that are not running inside GCP infra.

Even easier for apps running in GCP infra

Stay Tuned

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Rakib Al Hasan

DevOps Engineer, Backend Developer, Cloud Architect, Night time drive-outs & nice hangouts