SQL Database instances should only allow ingress traffic from specific IP addresses

Description

A database server should accept connections only from trusted networks and IPs and restrict access from public IP addresses.

Rationale

To minimize attack surface on a database server instance, only trusted, known, and required IPs should be allowed to connect to it. An authorized network should not have IPs or networks configured to 0.0.0.0/0 which allows access to the instance from anywhere in the world. Authorized networks apply only to instances with public IPs.

Impact

The Cloud SQL database instance would not be available to public IP addresses.

Remediation

From the console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations.
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the authorized network 0.0.0.0/0.
  6. Click Save to update the instance.

From the command line

Update the authorized network list by removing addresses:

gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2...

Prevention

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Default value

By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

References

  1. https://cloud.google.com/sql/docs/mysql/configure-ip
  2. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks
  3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  4. https://cloud.google.com/sql/docs/mysql/connection-org-policy

Additional information

There is no IPv6 configuration found for Google cloud SQL server services.