SQL for MySQL

Configuring IAM

MySQL supports the following types of authentication methods:

Best practices

  • For the local MySQL default user, create a strong and complex password, and keep the password in a secured location.

  • For end users who need direct access to the managed database, the preferred method is to use Google Cloud IAM authentication.

Network access

Access to a managed MySQL database service is controlled via one of the following options:

  • Authorised networks: Allows you to configure which IP addresses (or CIDR) are allowed to access your managed MySQL database.

  • Cloud SQL Auth proxy: Client installed on your application side, which handles authentication to the Cloud SQL for MySQL database in a secure and encrypted tunnel.

Best practices

  • Managed databases must never be accessible from the internet or a publicly accessible subnet – always use private subnets to deploy your databases.

  • If possible, the preferred option is to use the Cloud SQL Auth proxy.

  • Configure authorised networks for your web or application servers to allow access to your Cloud SQL for MySQL.

  • If you need to manage the MySQL database service, use either a GCE VM instance to manage the MySQL database remotely or a Cloud VPN (configures an IPSec tunnel to a VPN gateway device).

Stored data

To protect customers’ data, encrypt data both in transport and at rest.

Best practices

  • Enforce TLS 1.2 transport layer encryption on your database.

  • For sensitive environments, encrypt data at rest using customer-managed encryption keys (CMEKs) stored inside the Google Cloud KMS service.

  • When using CMEKs, create a dedicated service account, and grant permission to the customers to access the encryption keys inside Google Cloud KMS.

  • Enable auditing on all activities related to encryption keys.

Conducting auditing and monitoring

As with any other managed service, GCP allows for logging and auditing using Google Cloud Audit Logs.

Best practices