0

I'm using Google Cloud Composer and just set up a new MySQL connection in order for Airflow to connect and query my external database hosted on a separate Ubuntu server. In order to get this working, I had to create a firewall rule on my database server that allows all connections on the port I specified in the Airflow connection.

In order to make things more secure I was hoping to specify an IP address in the firewall rule so that only Cloud Composer's IP address (or range) would be allowed to connect to the specified port.

Can anybody instruct me how to set this up? Do I need to assign a static IP address to the Cloud Composer setup, or is it already set up that way by default?

Are there any other recommended ways to make this setup secure? Currently the only "security" is that the mysql username and password is unique and only used by this Cloud Composer connection. Should I be doing something with ssl or ssh instead? I'm a networking novice so any help is much appreciated.

flyingL123
  • 7,686
  • 11
  • 66
  • 135

1 Answers1

1

Currently it is not possible to set static external IPs to the GKE nodes of a Composer environment.

SO question

It seems that for maintenance reasons VMs may be restarted and it could be the root-cause of why the IPs are changing within your environment and there is not a way to be aware about that.

Feature Request

As a workaround you could use Cloud NAT. You can find more information about this in the Private IP Cloud Composer documentation.

Private IP Cloud Composer environment

marian.vladoi
  • 7,663
  • 1
  • 15
  • 29