Enable SSL/TLS for Cloud SQL Incoming Connections

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name (ID) of the database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SECURITY section, under Manage SSL Mode, check the configuration status of the SSL Connections feature. If the feature status is set to "Allow unencrypted network traffic.", the selected Cloud SQL database instance is not configured to require all incoming connections to use SSL/TLS.

07 Repeat step no. 4 – 6 to check the feature status for other Cloud SQL instances available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-ms-web-project-123123
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-ms-web-project-123123
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-web-sql-server-instance
cc-app-sql-server-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as identifier parameter and custom query filters to describe the SSL Connections feature configuration status set for the selected database instance:

gcloud sql instances describe cc-web-sql-server-instance
	--format="table(settings.ipConfiguration.sslMode)"

06 The command output should return the requested configuration status (true for enabled, false for disabled):

SSL_MODE
ALLOW_UNENCRYPTED_AND_ENCRYPTED

07 Repeat step no. 5 and 6 to check the SSL Connections feature status for other Cloud SQL instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name/ID of the database instance that you want to reconfigure.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SECURITY section, under Manage SSL mode, click Allow only SSL connections to allow only secured connections to connect to the selected Cloud SQL database instance. Cloud SQL service creates an SSL server certificate automatically when you create your Cloud SQL database instance. As long as the server certificate is valid, you don't have to actively manage this certificate.
Note: Enabling SSL-only connections requires the instance to be restarted. Ensure you make the necessary preparations for sensitive workloads.

07 Once the SSL/TLS protocol is enforced for all incoming connections, if the selected database instance is using a public IP address, you need to add the IP addresses of your Cloud SQL client(s) as authorized network(s) by performing the following operations:

1. In the Connections section, under NETWORKING, click Add network button to configure a new authorized network for the selected instance.
2. On the New network panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format (e.g. 10.50.51.3/32 or 10.50.51.0/24). Optionally, enter a name for the new entry in the Name box. Click Done to close the configuration panel. If necessary, repeat this step to configure new authorized networks.
3. Click Save to apply the changes.

08 Repeat step no. 4 – 7 to enforce SSL/TLS connections for other Cloud SQL database instances available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enforce SSL/TLS for all the incoming requests made to the selected database instance:

gcloud sql instances patch cc-web-sql-server-instance
  --ssl-mode="ENCRYPTED_ONLY"

02 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"sslMode": "ENCRYPTED_ONLY"}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

03 If the reconfigured database instance is using a public IP address, you need to add the IP addresses of your Cloud SQL client(s) as authorized network(s). To configure authorized networks, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address/IP address range you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new IP addresses/ranges to the authorized networks, make sure to also include any IP addresses/ranges that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized:

gcloud sql instances patch cc-web-sql-server-instance
	--authorized-networks="xxx.xxx.xxx.xxx/24"

04 Type Y to confirm the instance configuration change:

The following message will be used for the patch API method.
When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized.
Do you want to continue (Y/n)? Y

05 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/24"}]}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

06 Repeat step no. 1 – 5 to enforce SSL/TLS connections for other Cloud SQL database instances provisioned for the selected project.

07 Repeat steps no. 1 – 6 for each project created within your Google Cloud account.