Google Cloud Sql private ip with ssl only - google-cloud-sql

I want to connect from spring boot app in GCP to Cloud Sql with private IP and ssl only for public ip. And i'm not understand "ssl only flag" it only for public connection or public/private?

They're two different dimensions of security/connectivity.
Public IP means connecting from outside a VPC (https://cloud.google.com/vpc). So it could be an external application (not in Cloud), or maybe an application running in GCP but on a different network (VPC). Private IP means the application and the database share the VPC, or are peered between two VPCs (https://cloud.google.com/vpc/docs/vpc-peering). Basically, with one you're staying within Google's internet sphere, and the other you're probably touching public internet.
SSL is another layer on top of one or the other of those, where you're specifying the keys to allow a user to connect. So checking that "ssl only connections" box means you only want to allow connections to your DB instance which have the private key that matches the key you've registered.
Broadly speaking, our best practice is to use the Cloud SQL Proxy (https://cloud.google.com/sql/docs/mysql/sql-proxy) rather than setup your own SSL keys. The proxy also uses SSL keys to ensure secure connectivity as well, but it does it on demand, rather than static keys, which is more secure. The only time you really want to use your own SSL keys, is if you have a specific certificate authority you want to trust and use so you have specific keys you need to use (or you just don't trust Google and want to keep track of your own SSL keys).

Related

Connect to DNS names trough SSL and manually specify IP of the DNS record (Local DNS poisoning/Spoofing)

I'm currently working on a script that will test the health of an ADFS service. The ADFS service uses the same domain name (split brain DNS) for both intranet access, as well as for public DNS (for internet connections through the proxy servers). If I'm logged into an intranet device and I attempt to perform an SSL connection to the ADFS service, my device will use the intranet IP of the service. If I do the same from a device that is not in the intranet, I will connect to the public facing IP.
I want my script to test the health of both the internal and external service, but I haven't found a way to perform an SSL connection to a certain hostname/fqdn, and use an specific IP depending on the test I'm trying to perform (intranet vs extranet). Connecting directly to the internal/external IP address is not an option, since the ip addresses are not part of the SSL cert subject alternative names.
One option I found Is to create a PS Session to a remote host that has public DNS servers configured, and execute my Extranet test through that PS Session, but Ideally, I would like to run both tests from one single server.
I'm trying to find an option that works in the context of my PowerShell session only, I don't want to change the DNS settings of the server or the global DNS cache since that will result in problems on the server, because it depends on that ADFS service for other services to work.
Any help will be appreciated
I could not find a way to achieve exactly what I asked, so instead, what I did was to deploy a small Rest API in Azure which calls my ADFS service. When I call that Rest API, ADFS receives the query from the Internet, allowing me to achieve test the health of my ADFS service from the internet.

Cloudsql access from ai-platform job

Google has nice ways to connect to cloudsql from other google services but I cannot see how to connect from ai-platform jobs. As part of our training job, we need to update our cloudsql db with metrics but the only I could get it to work is by whitelisting all IPs (don't want that!) in the cloudsql and connecting via the public IP. I don't see an option to add cloud-sql-proxy to the trainer instance. Since the IP of the trainer instance is dynamic, we cannot reliably add specific IP address to whitelist. Any other ways to handle this?
It looks like AI Platform supports VPC peering, so you should be able to connect to Cloud SQL using private IP.
Since Cloud SQL also uses VPC peering, you'll likely need to do the following to get the resources to connect:
Create a VPC to share (or use the "default" VPC)
Follow the steps here to setup VPC peering for AI Platform in your VPC.
Follow the steps here to setup a private IP for your instance in your VPC.
Since the resources are technically in different networks, you may need to export custom routes (Step #2) to allow the AI platform access to your Cloud SQL instance.
Alternatively to using private IP, you could keep using public IP w/ an IP allowlist coupled with Authorizing with SSL/TLS certificates. This still isn't as secure as using the proxy or private IP (as users are technically able to connect to your instance), but they'll be unable to interact with the database engine without the correct certificates.
Can you publish a PubSub message from within your training job and have it trigger a cloud function that connects to the database? AI Platform training seems to have IAM restrictions that I too am curious how to control.

MongoDB connection security

I'm having some mongodb connection securtity concerns for my env.
Here is my environment:
one ECS hosted on cloud that has a public IP but no domain and no ssl certificate neither.
installed mongodb service on this ECS that needs username/password to authenticate
only specific IPs in the whitelist can access the ECS/mongodb
I'm wondering if the data transfer between this mongodb and my local pc is safe or not?
Will the data be encrpyted during the transmission or just plain text so that everyone on the internet can catch and read it? (As I don't have https so it's not using TLS/SSL)
Can canyone explain the machanism or give some some doc links?
Thanks!
As your not using SSL, your data on fly is not encrypted. You need to use TLS/SSL to encrypt the network transmission. You must have the TLS/SSL certificates as PEM files, which are concatenated certificate containers
In addition to encrypting connections, TLS/SSL allows for authentication using certificates, both for client authentication and for internal authentication of members of replica sets and sharded clusters

SSL application load balancer on AWS WITHOUT a custom domain

Is it possible to give a application load balancer on AWS a SSL certificate, allowing allowing only HTTPS connections, if I don't want to use a custom domain?
Currently developing some internal dashboard applications, so have no need/want for a domain name attached to them.
I can only dig up info and tutorials of creating to a certificate in Cloudformation, when wanting to add a domain forwarding to the LB.
The SSL certificate has to have a valid DNS name associated with it in order to work. You need to request a certificate via ACM and then attach that to the ELB. You can configure the ELB to only have an HTTPS listener to force secure communication.
Probably not.
It's not generally kosher to issue an SSL certificate to an IP address, and since all *.compute.amazonaws.com style DNS names are floating and could be reassigned at any moment, they damn well won't issue one for them either. (Same stands for Let's Encrypt, by the way: you have to have a DNS name not issued by a provider.)
Just give your internal service a DNS name, be it something like mydashboard.internal.mycompany.com or whatever; it'll be easier to access, too.

Akka remote actors filter connections by IP

I'm trying to add security to my remote actors. I've set untrusted-mode:
http://doc.akka.io/docs/akka/snapshot/scala/remoting.html
Is it possible to add IP filtering, to allow connection only from specific server? For example I have one master and 10 slaves, I want to allow only for my master (specific IP) to connect my slaves.
In open source everyone could just create a new instance of my master, and connect to my real slaves. How can make it secure?
Using IP filtering is not very secure as it's easy to fake an IP. Luckily Akka comes with secure transport support via SSL and secure cookie support.
A cookie is like an API key and will be required to establish the connection. SSL will guarantee eavesdropping is not possible to steal the secure cookie. See this doc for example.
I made a simple project that uses Akka remoting and SSL with secure cookie. Try it out here. Read how to setup SSL certificate storage and such here.