How to filter App Engine connections by host with Google Cloud SQL Second Generation? (2nd)

1
votes

Google App Engine seems to automatically tunnel its connections to Cloud SQL 2nd generation internally through Cloud SQL Proxy. This was discovered inadvertently while trying to sort out how to use TLS, unsuccessfully: "TLS requested but server does not support TLS" error with Google Cloud SQL (2nd generation) from Google App Engine?

I noticed that this works without allowing unsecured access globally to the Cloud SQL instance... which is nice. However, we can only filter the accepted hostname for connections to cloudsqlproxy~% and not to localhost, and this allows virtually any "cloudsqlproxy" host to connect with the right credentials.

Is this safe and correct to do, and better than using %... which would obviously bypass any sort of host filtering? Or, does this open any cloudsqlproxy's possible connection to our 2nd generation instance?

The goal is to restrict connections on a particular user account on the SQL instance to ONLY come from our App Engine project. Nothing else should be able to connect with these credentials.

1
google-app-enginegoogle-cloud-sql

1 Answers

0
votes

Good question, you are right that using cloudsqlproxy-% is the strictest filtering you can apply for App Engine connections right now and unfortunately that means you cannot effectively say "allow connections from App Engine but not from Cloud SQL Proxy".

It's hard to come up with a solution that maintains the consistency between App Engine Standard and App Engine Flexible since App Engine Flex VMs live in the customer project. It could be somewhat confusing if the restriction only applied to App Engine Standard, but not App Engine flex.

You can somewhat limit the exposure by limiting who can use the Cloud SQL Proxy by limiting the Editors (and owners) of a project as the account connecting using Cloud SQL Proxy must have Editor access or above. In the future, this will become more fine grained with IAM support.