Reputation: 12213
restrict connections to Cloud SQL MySQL instance
Is there a way to restrict which compute engine instance can connect to my Cloud SQL instance? It looks like as long as the compute engine is connecting to my Cloud SQL instance using private IP, it goes thru.
Is there a way to restrict it by saying only allow those compute engine instances to connect to my Cloud SQL instance that has specified service account attached?
Upvotes: 1
Views: 3808
Answers (4)
Reputation: 1
I implemented a similar strategy to guillaume blaquiere's answer above, but used tags instead of service accounts.
I have 4 Compute Engine resources and 3 Cloud SQL instances all in the same project, and my goal was to allow 1 specific server to access each of the 3 databases, and then the 4th server should be completely restricted from access the DBs. All my Compute Engine servers were previously created with the same service accounts, and I did not want to have to stop those resources to reassign service accounts.
I have previously assigned each Compute Engine server a unique tag (used for ingress traffic blocking), so I then set up the following rules:
- Server 1 to DB 1 (...x2 for other two servers)
- Direction: Egress
- Action: Allow
- Priority: 800
- Targets: Specified target tags
- Target tags: <server 1 tag>
- Destination IP: <DB 1 IP>
- Port: TCP 5432 (I'm using Postgres)
- Server 1 to DB 1
- Direction: Egress
- Action: Deny
- Priority: 900
- Targets: All instances
- Destination IP: <DB 1 IP>, <DB 2 IP>, <DB 3 IP>
- Port: all
Upvotes: 0
Reputation: 12213
Cloud SQL now supports IAM Conditions for MySQL, PostgreSQL, and SQL Server. You can use IAM conditions to specify in an IAM policy binding the specific instances by name for which a user has permissions, such as the cloudsql.instances.connect for authorizing the Cloud SQL Auth proxy. https://cloud.google.com/sql/docs/release-notes#August_21_2021
https://cloud.google.com/sql/docs/mysql/project-access-control#iam-conditions
Upvotes: 0
Reputation: 75735
You can create firewall rule based on the service account. Let say that your port is 3306 (MySQL standard port). You can do that:
- Create a firewall rule:
- Source -> All VM in the network
- Target -> IP of your database
- Egress
- Deny
- priority 10000
- port 3306
- Protocol TCP
- Create a firewall rules per VM that you want to authorize
- Source -> Service Account of the VM
- Target -> IP of your database
- Egress
- Allow
- priority 1000
- port 3306
- Protocol TCP
Like that you block all by default, and you authorize only explicitly the VM with the specified service account to reach your database IP
Upvotes: 0
Reputation: 3768
Is there a way to restrict it by saying only allow those compute engine instances to connect to my Cloud SQL instance that has specified service account attached?
There's already a feature request that the same of your concern. You can star the public issue tracker feature requests to ensure that you will receive the updates about it.
As alternative way, create a new VPC Network for your Cloud SQL instance connection and Compute Engine instance. Or host your Cloud SQL instance and Compute Engine instance to a new Google Cloud Project.
Upvotes: 1
Related Questions
- Can I restrict access to a Google Cloud SQL instance to specific service account?
- How to restrict the root MySQL system user to a single host in GCP Cloud SQL?
- How to secure unauthorised access in Cloud SQL Database
- Google cloud SQL connection
- Whitelist traffic to mysql from a kubernetes service
- Connecting to Google cloud SQL through my local machine
- Allow Google App Engine app access to only one Cloud SQL Instance database
- Google Cloud SQL Add Authorized Network
- Allow access to CloudSQL from all GCE instances
- Google mysql cloud Instance Authorized Network with domain name