How to Secure Cloud SQL Database Access

Cloud SQL databases often contain your most sensitive business data - customer records, financial transactions, and proprietary information. Properly securing database access is critical to preventing data breaches. A single misconfigured database can expose millions of records, as we've seen in numerous high-profile incidents.

This guide covers the essential security controls for Cloud SQL: network isolation, authorized networks, private IP connectivity, IAM authentication, and encryption requirements. For broader cloud security practices, see our comprehensive 30 Cloud Security Tips for 2026 guide.

Prerequisites

• An existing Cloud SQL instance (MySQL, PostgreSQL, or SQL Server)
• Cloud SQL Admin role or equivalent permissions
• A VPC network configured (for private IP setup)
• Basic familiarity with database administration

Step 1: Configure Authorized Networks (Public IP)

If your Cloud SQL instance uses public IP, restrict access to specific IP addresses:

Via Google Cloud Console

- Navigate to [SQL](https://console.cloud.google.com/sql) in the Cloud Console - Click on your instance name - Select **Connections** from the left menu - Under **Authorized networks**, click **Add Network** - Enter a name and the IP address or CIDR range (e.g., 203.0.113.0/24) - Click **Save**

Via gcloud CLI

# Add an authorized network
gcloud sql instances patch INSTANCE_NAME \
    --authorized-networks=203.0.113.0/24,198.51.100.50/32

# View current authorized networks
gcloud sql instances describe INSTANCE_NAME \
    --format="value(settings.ipConfiguration.authorizedNetworks)"

**Security Warning:** Never add 0.0.0.0/0 to authorized networks - this allows access from any IP address on the internet. Even with strong passwords, this exposes your database to brute-force attacks and vulnerability exploits.

Step 2: Enable Private IP Connectivity

Private IP keeps database traffic within your VPC, never exposing it to the public internet:

Configure Private Service Access

- Go to **VPC Network > VPC networks** in the Console - Click on your VPC network - Select **Private service connection** tab - Under "Allocated IP ranges for services," click **Allocate IP range** - Configure:

• Name: google-managed-services-range

• IP range: Automatic or specify a /16 or /24 range

• Click Allocate

• Under "Private connections to services," click Create connection

• Select the allocated range and click Connect

Enable Private IP on Cloud SQL Instance

- Navigate to your Cloud SQL instance - Click **Edit** - Expand **Connections** - Under "Private IP," click **Enable private IP** - Select the VPC network with private service access configured - Optionally, uncheck **Public IP** to disable public access entirely - Click **Save**

# Via gcloud CLI
gcloud sql instances patch INSTANCE_NAME \
    --network=projects/PROJECT_ID/global/networks/VPC_NAME \
    --no-assign-ip  # Disable public IP

Step 3: Enable IAM Database Authentication

IAM authentication allows users to connect using their Google Cloud credentials:

Enable IAM Authentication on Instance

- Navigate to your Cloud SQL instance - Click **Edit** - Expand **Flags** - For PostgreSQL, add flag: cloudsql.iam_authentication = on - For MySQL, this is enabled by default (no flag needed) - Click **Save**

Create IAM Database Users

For PostgreSQL

- Navigate to **SQL > [Instance] > Users** - Click **Add User Account** - Select **Cloud IAM** - Enter the IAM principal (user email or service account) - Click **Add**

Then grant database permissions via SQL:

-- Connect as postgres admin user
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO "[email protected]";

For MySQL

-- Create IAM user (email must match exactly)
CREATE USER '[email protected]' IDENTIFIED WITH 'mysql_native_password' BY 'IAM';

-- Grant permissions
GRANT SELECT, INSERT, UPDATE ON database_name.* TO '[email protected]';

Grant Cloud SQL IAM Roles

Users need the Cloud SQL Instance User role to authenticate:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="user:[email protected]" \
    --role="roles/cloudsql.instanceUser"

Step 4: Enforce SSL/TLS Encryption

Require encrypted connections to protect data in transit:

Enable SSL Requirement

- Navigate to your Cloud SQL instance - Select **Connections** - Under **Security**, click **Allow only SSL connections** - Click **Save**

# Via gcloud CLI
gcloud sql instances patch INSTANCE_NAME --require-ssl

Download Server CA Certificate

- In the instance's **Connections** page, scroll to **Manage SSL Mode** - Click **Create Client Certificate** if mutual TLS is needed - Download the Server CA certificate, client certificate, and client key

Configure Client Connection

Example connection string with SSL (PostgreSQL):

psql "host=INSTANCE_IP dbname=DATABASE user=USER sslmode=verify-ca sslrootcert=server-ca.pem"

Example connection string with SSL (MySQL):

mysql -h INSTANCE_IP -u USER -p \
    --ssl-ca=server-ca.pem \
    --ssl-cert=client-cert.pem \
    --ssl-key=client-key.pem

Step 5: Configure VPC Service Controls (Advanced)

For defense-in-depth, add Cloud SQL to a VPC Service Controls perimeter:

- Navigate to **Security > VPC Service Controls** - Create or edit a service perimeter - Add the project containing your Cloud SQL instance - Under "Restricted Services," add sqladmin.googleapis.com - Configure access levels for authorized networks/identities - Save the perimeter

VPC Service Controls prevent:

• Data exfiltration to unauthorized projects
• Access from outside the perimeter
• Lateral movement between isolated environments

Step 6: Enable Audit Logging

Track all database access and administrative actions:

- Go to **IAM & Admin > Audit Logs** - Find **Cloud SQL Admin API** - Enable all log types:

• Admin Read

• Data Read

• Data Write

• Click Save

For database-level query logging:

PostgreSQL

# Add database flag
log_statement = all  # or 'ddl' for schema changes only
log_min_duration_statement = 0  # Log all queries with duration

MySQL

# Enable general log or slow query log
general_log = on  # Warning: high overhead in production

Step 7: Implement Backup and Recovery

Ensure you can recover from security incidents:

- Navigate to your Cloud SQL instance - Select **Backups** - Click **Create Backup** for immediate backup - Under **Automated backups**, configure:
• Backup window (low-traffic period)
• Retention (default 7 days, increase for compliance)
• Point-in-time recovery (enables transaction log backups)

# Enable automated backups and PITR
gcloud sql instances patch INSTANCE_NAME \
    --backup-start-time=02:00 \
    --enable-point-in-time-recovery \
    --retained-backups-count=30

Security Best Practices Summary

• Use private IP exclusively when possible - disable public IP entirely
• Never whitelist 0.0.0.0/0 in authorized networks
• Enable IAM authentication for human users and administrative access
• Require SSL/TLS for all connections
• Use service accounts with minimal permissions for application connections
• Rotate credentials regularly - automate rotation with Secret Manager
• Enable audit logging and export to long-term storage
• Configure VPC Service Controls for sensitive environments
• Test backup recovery quarterly

Related Resources

• 30 Cloud Security Tips for 2026 - Comprehensive cloud security guide
• GCP Secret Manager Tutorial - Secure credential management
• Cloud SQL SSL/TLS Configuration
• Cloud SQL IAM Authentication

Need help securing your Cloud SQL databases or implementing a comprehensive database security strategy? Contact InventiveHQ for expert guidance on cloud database security and compliance.