Allow SSL/TLS Connections Only

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL console available at https://console.cloud.google.com/sql/instances.

04 Click on the name (link) of the database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 Select the SUMMARY tab and check the Allow only SSL connections feature status, listed under SSL / TLS encryption. If the feature status is set to Disabled, the selected Cloud SQL database instance is not configured to require SSL/TLS for all incoming connections.

07 Repeat steps no. 4 – 6 for each Cloud SQL database instance available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-ms-web-project-123123
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
  --project cc-ms-web-project-123123
  --format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-mysql-server-instance
cc-app-sql-server-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as the identifier parameter and custom query filters to describe the SSL/TLS enforcement mode configured for the selected database instance:

gcloud sql instances describe cc-mysql-server-instance 
  --format="value(settings.ipConfiguration.sslMode)"

06 The command output should return the requested SSL/TLS configuration information:

ALLOW_UNENCRYPTED_AND_ENCRYPTED

07 Repeat steps no. 5 and 6 for each Cloud SQL database instance available in the selected project.

08 Repeat steps no. 3 – 7 for each project deployed within your Google Cloud account.

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL console available at https://console.cloud.google.com/sql/instances.

04 Click on the name (link) of the database instance that you want to configure.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 Select the SECURITY tab and choose Allow only SSL connections for SSL mode, under Manage SSL mode.

07 In the Allow only SSL connections? confirmation box, choose SAVE & RESTART to enforce encryption and require SSL/TLS for all incoming connections. Only connections encrypted with SSL/TLS will be allowed to connect to your instance. IMPORTANT: Enabling SSL/TLS-only connections requires the instance to be restarted. Ensure you make the necessary preparations for sensitive workloads.

08 (Optional) If your SQL database instance is using a public IP address, you need to add the IP addresses of your database clients as authorized networks. Select the NETWORKING tab and perform the following operations in the Authorized networks section:

1. Choose ADD A NETWORK to configure a new authorized network for the selected instance. On the New network setup panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format e.g. 10.50.51.3/32 or 10.50.51.0/24). Optionally, enter a name for the new entry in the Name box. Choose DONE to close the configuration panel.
2. Choose SAVE to apply the changes.

09 Repeat steps no. 4 – 8 for each Cloud SQL database instance that you want to configure, available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

01 Run sql instances patch command (Windows/macOS/Linux) with the name of the Cloud SQL database instance that you want to configure as the identifier parameter, to enforce encryption and require SSL/TLS for all incoming database connections by setting the --ssl-mode parameter to ENCRYPTED_ONLY. IMPORTANT: Enabling SSL/TLS-only connections requires the instance to be restarted:

gcloud sql instances patch cc-mysql-server-instance 
  --ssl-mode=ENCRYPTED_ONLY

02 The output should return the **sql instances patch** command request status:

The following message will be used for the patch API method.
{"name": "cc-mysql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"sslMode": "ENCRYPTED_ONLY"}}}

Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-mysql-server-instance].

03 (Optional) If your database instance is using a public IP address, you need to add the IP addresses of your database clients as authorized networks. To configure authorized networks, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address/IP address range you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new IP addresses/ranges to the authorized networks, make sure to also include any IP addresses/ranges that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized:

gcloud sql instances patch cc-mysql-server-instance
  --authorized-networks="xxx.xxx.xxx.xxx/xx"

04 Type Y and press Enter to confirm the instance configuration change:

The following message will be used for the patch API method.
When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized.
Do you want to continue (Y/n)? Y

05 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-mysql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/xx"}]}}}

Patching Cloud SQL instance...done.

Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-mysql-server-instance].

06 Repeat steps no. 1 - 5 for each Cloud SQL database instance that you want to configure, available in the selected project.

07 Repeat steps no. 1 – 6 for each project deployed within your Google Cloud account.