This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud SQL with public IP and whitelist - protection against spoofing

Posted on 07-26-2023 03:52 PM
ev-will
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi - just wondering if anyone knows if GCP has some sort of ingress protection against IP packet spoofing.

I have a cloud SQL instance with a public IP locked down to 2 IP addresses. But IP addresses can be spoofed. So wondering how secure this method is.

Looked at Cloud SQL Auth Proxy with a private IP but this looks quite complex - I would have to run a docker or VM in my GCP project that is running Cloud SQL Auth Proxy and also setup VPC VPN tunnel between by home machine and my GCP projects internal network to this VM.

And this seems overkill for just needing occasional ad-hoc access to SQL Server from home to check things/run manual scripts (my app runs in AppEngine and uses the private IP already)

Any info would be most appreciated as to whether my public IP/whitelist is secure enough.

Thanks

0 3 2,527
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

Google Cloud SQL does provide a level of ingress protection, including the ability to whitelist specific IP addresses that are allowed to connect to your Cloud SQL instance. This is a common method used to restrict access to your database and can provide a good level of security.

In your case, you have already configured a whitelist of IP addresses that are allowed to connect to your Cloud SQL instance.  You add an additional layer of security by using SQL Auth Proxy with a private IP.  However, it can be a bit more complex to set up, especially if you're only needing occasional ad-hoc access.

In your case, the IP whitelisting should be sufficient for occasional ad-hoc access. However, you should always ensure that your database is secured with a strong password, and consider using SSL/TLS encryption for your connections.

Remember, security is about layers. The more layers of security you have, the harder it is for an attacker to gain access to your data. So while IP whitelisting is a good start, you should consider additional security measures based on the sensitivity of your data and your risk tolerance.

Posted on --/--/---- --:-- AM
ev-will
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks for your speedy reply ms4446

I have set up a strong password and SSL connection as well already.

So I guess I'm just being paranoid about the spoofing.

Cheers

 

Posted on --/--/---- --:-- AM
ms4446
Staff
In response to ev-will
Reply posted on --/--/---- --:-- AM

No worries. It's always good to be cautious when it comes to security, especially when dealing with sensitive data. IP spoofing attacks over the internet are extremely rare due to the implementation of network ingress filtering by most internet routers.

Moreover, even if an attacker could spoof your IP address, they would still need to intercept the responses from the server to establish a TCP connection and interact with your database. This is very difficult to achieve without control over the network routing.

Given that you have a strong password and SSL connection in place, and you've restricted access to specific IP addresses, you've already implemented multiple layers of security. This should provide a robust defense against potential attacks.

0 Likes
Top Solution Authors
View all