How To Secure Connection To Google Database Using Public Ip (0.0.0.0)?

I have created software in which I'm connecting with google database using public IP but as with changing network, the public IP changes for the system. So for ease, I used the IP

Solution 1:

There are several ways to set a secure connection to a Cloud SQL instance.

1. Use SSL certs to connect to the instance and enable the "Allow only SSL connections".

2. Use Private IP. I understand that the application that you created is not hosted in GCP, but elsewhere, so, a good option is to:

   2.1. Enable the private IP feature in your CSQL instance

   2.2. Enable "import custom routes" in the just created peering between your project (let's call this project "project A") and the tenant project where your CSQL is (the name of this project will look like "speckle-umbrella-[pg]-xx" JFYI). Bear in mind that this feature is in beta.

   2.3. Ask our technical support team to enable "export custom routes" on the just created peering, but for this time, on our side (in the already mentioned "speckle-umbrella-[pg]-xx" project). If you don't have a support package, you can open a private issue tracker following this link specifying my name, your project ID and the CSQL instance where you want to enable this feature. Don't worry, the issue tracker that you will open there is only visible for Google employees and you. Bear in mind that opening an issue tracker there could take up to 90 days to get an answer, but I'll be monitoring this post.

   2.4. Then, as I assumed that your app is not running in GCP, you will have to set a VPN tunnel or a Cloud interconnect, to connect your local network to Google Cloud.

After this, you'll be able to connect from your app to your CSQL instance in a secure way.

3. If you want to use Private IP and your app is hosted in GCP, you can connect directly to your CSQL instance if your app and CSQL are both in the same region and using the same VPC (If you are using a serverless option such as Cloud functions or Google App Engine Standard you can use Serverless VPC access). But if your app is hosted in GCP, but in a different project, you can follow the steps 2.1, 2.2 and 2.3, and then, create a VPC peering between the project where your application is (Let's call this project "project B") and the project where you have associated your CSQL instance ("Project A"). For "project A" you will have to enable "export custom routes" in this new VPC peering, and for "project B" you will have to enable "import custom routes". Doing this, your connection between your app (hosted in "Project B") will go from Project B to Project A, and to Project A to speckle-umbrella-[pg]-xx until reach your Cloud SQL instance.

The reason why you have to deal with custom routes is because some time ago, VPC peerings were not able to propagate routes, but now with this is completely possible.