How to Secure Cloud SQL Database Access

Cloud SQL databases often contain your most sensitive business data - customer records, financial transactions, and proprietary information. Properly securing database access is critical to preventing data breaches. A single misconfigured database can expose millions of records, as we've seen in numerous high-profile incidents.

This guide covers the essential security controls for Cloud SQL: network isolation, authorized networks, private IP connectivity, IAM authentication, and encryption requirements. For broader cloud security practices, see our comprehensive 30 Cloud Security Tips for 2026 guide.

Prerequisites

• An existing Cloud SQL instance (MySQL, PostgreSQL, or SQL Server)
• Cloud SQL Admin role or equivalent permissions
• A VPC network configured (for private IP setup)
• Basic familiarity with database administration

Step 1: Configure Authorized Networks (Public IP)

If your Cloud SQL instance uses public IP, restrict access to specific IP addresses:

Via Google Cloud Console

1. Navigate to SQL in the Cloud Console
2. Click on your instance name
3. Select Connections from the left menu
4. Under Authorized networks, click Add Network
5. Enter a name and the IP address or CIDR range (e.g., 203.0.113.0/24)
6. Click Save

Via gcloud CLI

# Add an authorized network
gcloud sql instances patch INSTANCE_NAME \
    --authorized-networks=203.0.113.0/24,198.51.100.50/32

# View current authorized networks
gcloud sql instances describe INSTANCE_NAME \
    --format="value(settings.ipConfiguration.authorizedNetworks)"

**Security Warning:** Never add 0.0.0.0/0 to authorized networks - this allows access from any IP address on the internet. Even with strong passwords, this exposes your database to brute-force attacks and vulnerability exploits.

Step 2: Enable Private IP Connectivity

Private IP keeps database traffic within your VPC, never exposing it to the public internet:

Configure Private Service Access

1. Go to VPC Network > VPC networks in the Console

2. Click on your VPC network

3. Select Private service connection tab

4. Under "Allocated IP ranges for services," click Allocate IP range

5. Configure:

6. Name: google-managed-services-range

7. IP range: Automatic or specify a /16 or /24 range

8. Click Allocate

9. Under "Private connections to services," click Create connection

10. Select the allocated range and click Connect

Enable Private IP on Cloud SQL Instance

1. Navigate to your Cloud SQL instance
2. Click Edit
3. Expand Connections
4. Under "Private IP," click Enable private IP
5. Select the VPC network with private service access configured
6. Optionally, uncheck Public IP to disable public access entirely
7. Click Save

# Via gcloud CLI
gcloud sql instances patch INSTANCE_NAME \
    --network=projects/PROJECT_ID/global/networks/VPC_NAME \
    --no-assign-ip  # Disable public IP

Step 3: Enable IAM Database Authentication

IAM authentication allows users to connect using their Google Cloud credentials:

Enable IAM Authentication on Instance

1. Navigate to your Cloud SQL instance
2. Click Edit
3. Expand Flags
4. For PostgreSQL, add flag: cloudsql.iam_authentication = on
5. For MySQL, this is enabled by default (no flag needed)
6. Click Save

Create IAM Database Users

For PostgreSQL

1. Navigate to SQL > [Instance] > Users
2. Click Add User Account
3. Select Cloud IAM
4. Enter the IAM principal (user email or service account)
5. Click Add

Then grant database permissions via SQL:

-- Connect as postgres admin user
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO "[email protected]";

For MySQL

-- Create IAM user (email must match exactly)
CREATE USER '[email protected]' IDENTIFIED WITH 'mysql_native_password' BY 'IAM';

-- Grant permissions
GRANT SELECT, INSERT, UPDATE ON database_name.* TO '[email protected]';

Grant Cloud SQL IAM Roles

Users need the Cloud SQL Instance User role to authenticate:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:[email protected]" \
    --role="roles/cloudsql.instanceUser"

Step 4: Enforce SSL/TLS Encryption

Require encrypted connections to protect data in transit:

Enable SSL Requirement

1. Navigate to your Cloud SQL instance
2. Select Connections
3. Under Security, click Allow only SSL connections
4. Click Save

# Via gcloud CLI
gcloud sql instances patch INSTANCE_NAME --require-ssl

Download Server CA Certificate

1. In the instance's Connections page, scroll to Manage SSL Mode
2. Click Create Client Certificate if mutual TLS is needed
3. Download the Server CA certificate, client certificate, and client key

Configure Client Connection

Example connection string with SSL (PostgreSQL):

psql "host=INSTANCE_IP dbname=DATABASE user=USER sslmode=verify-ca sslrootcert=server-ca.pem"

Example connection string with SSL (MySQL):

mysql -h INSTANCE_IP -u USER -p \
    --ssl-ca=server-ca.pem \
    --ssl-cert=client-cert.pem \
    --ssl-key=client-key.pem

Step 5: Configure VPC Service Controls (Advanced)

For defense-in-depth, add Cloud SQL to a VPC Service Controls perimeter:

1. Navigate to Security > VPC Service Controls
2. Create or edit a service perimeter
3. Add the project containing your Cloud SQL instance
4. Under "Restricted Services," add sqladmin.googleapis.com
5. Configure access levels for authorized networks/identities
6. Save the perimeter

VPC Service Controls prevent:

• Data exfiltration to unauthorized projects
• Access from outside the perimeter
• Lateral movement between isolated environments

Step 6: Enable Audit Logging

Track all database access and administrative actions:

1. Go to IAM & Admin > Audit Logs

2. Find Cloud SQL Admin API

3. Enable all log types:

4. Admin Read

5. Data Read

6. Data Write

7. Click Save

For database-level query logging:

PostgreSQL

# Add database flag
log_statement = all  # or 'ddl' for schema changes only
log_min_duration_statement = 0  # Log all queries with duration

MySQL

# Enable general log or slow query log
general_log = on  # Warning: high overhead in production

Step 7: Implement Backup and Recovery

Ensure you can recover from security incidents:

1. Navigate to your Cloud SQL instance

2. Select Backups

3. Click Create Backup for immediate backup

4. Under Automated backups, configure:

5. Backup window (low-traffic period)

6. Retention (default 7 days, increase for compliance)

7. Point-in-time recovery (enables transaction log backups)

# Enable automated backups and PITR
gcloud sql instances patch INSTANCE_NAME \
    --backup-start-time=02:00 \
    --enable-point-in-time-recovery \
    --retained-backups-count=30

Security Best Practices Summary

• Use private IP exclusively when possible - disable public IP entirely
• Never whitelist 0.0.0.0/0 in authorized networks
• Enable IAM authentication for human users and administrative access
• Require SSL/TLS for all connections
• Use service accounts with minimal permissions for application connections
• Rotate credentials regularly - automate rotation with Secret Manager
• Enable audit logging and export to long-term storage
• Configure VPC Service Controls for sensitive environments
• Test backup recovery quarterly

Related Resources

• 30 Cloud Security Tips for 2026 - Comprehensive cloud security guide
• GCP Secret Manager Tutorial - Secure credential management
• Cloud SQL SSL/TLS Configuration
• Cloud SQL IAM Authentication

Need help securing your Cloud SQL databases or implementing a comprehensive database security strategy? Contact InventiveHQ for expert guidance on cloud database security and compliance.