3

I have a development database hosted on GCP that I'd like my team to have access to. Ideally, I'd like people to be able to use any SQL client they'd like but so far, only DBeaver works with the Postgres/SSL enabled configuration we have. Currently, we have people at their personal houses, so the IP addresses can and do change. We'd like to enable access from their development machines, but not the whole world. We started with whitelisting IP addresses (as returned by whatismyip.com), but that's not very robust. What's a better way?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Woodsman
  • 901
  • 21
  • 61
  • Does this answer your question? [Connect to remote db with ssh tunneling in DBeaver](https://stackoverflow.com/questions/65481470/connect-to-remote-db-with-ssh-tunneling-in-dbeaver) – Martin Zeitler Jun 13 '22 at 20:50

2 Answers2

3

I do not recommend whitelisting IP addresses. Use the Cloud SQL Auth Proxy.

About the Cloud SQL Auth proxy

You can then disable client SSL as the proxy will authenticate and encrypt all communications.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Not sure if one can configure a proxy as tunnel: https://github.com/GoogleCloudPlatform/cloudsql-proxy ...one would need to know the values to set in the GUI: https://dbeaver.com/docs/wiki/Proxy-configuration/#how-to-configure-a-proxy-for-external-databases-access probably `127.0.0.1:5432` or `tcp:5432`. `-enable_iam_login` works with Postgres only. – Martin Zeitler Jun 13 '22 at 21:03
  • @MartinZeitler - The proxy is its own tunnel. The SQL Auth Proxy is the official solution and is built into services such as App Engine and Cloud Run. – John Hanley Jun 13 '22 at 21:10
0

You might be able to do this with Identity Aware Proxy(IAP) - https://cloud.google.com/iap/docs/using-tcp-forwarding

Basically create one VM to run Cloud sql proxy

cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:0.0.0.0:5432

Then grant your users necessary IAM permissions to start an IAP tunnel to that VM, where they can run a similar command to below from their laptop -

gcloud compute start-iap-tunnel YOUR-VM-NAME --zone ZONE 5432 --local-host-port=localhost:5432

The users then connect to the DB on loopback, which is securely tunneled through IAP.

Reference - https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel

Daniel t.
  • 965
  • 11
  • 18
  • This would work except that IAP TCP Tunnels are rate limited. For a temporary low bandwidth solution, yes, but not for long-term deployment or for large data transfers. The official solution is the Cloud SQL Auth proxy installed at the client. – John Hanley Jun 13 '22 at 23:00