Question
How to use VPC to improve MySQL database security?
- Posted on August 11, 2020
- MySQLJava
Asked by jonVonBallstein
I just watched the Digital Ocean webinar on VPCs on youTube. I found it really interesting and I was wondering how to use this to improve security on a system I maintain for a local social enterprise? I’m going to describe the system below as it will clarify the question:
There are 4 people working for the social enterprise who use a Java desktop application to connect to a remote MySQL database, currently hosted on a digital ocean droplet. The java application uses JDBC to talk to the database. The database currently has to accept connections from any IP because the staff are working remotely and sometimes work on the move. The security policy requires 25+ char characters and that’s probably the main line of defense against DB brute force attacks.
After watching the webinar I was thinking of moving the MySQL database onto a droplet in a private network within a VPC with another droplet as a public gateway as described in the How to Configure a Droplet as a VPC Gateway tutorial. The gateway would handle incoming DB requests and forward them to the DB server. This would be done to shield the DB from the typical types of opportunistic attacks the server database logs show are attempted on the database. However, in considering this I find myself asking is it really a security improvement since the gateway machine would just be forwarding requests to the DB in the VPC, so its not really added security aside from the fact that the DB is no longer directly available on a public IP. But I might be missing something? If so please tell me what.
So my question is, how can I use the VPC to improve the databases security? How should the setup be configured? I was reading the Digital Ocean Tutorial How To Configure SSL/TLS for MySQL on Ubuntu 18.04 and was wondering if the DB server should be configured as the DB server in the tutorial and the gateway droplet as the client in the tutorial? OR is there another tutorial I should be following for figuring this out? I don’t quite get how the gateway server can distinguish between incoming traffic from legitimate users with the java desktop app and traffic from attackers? Advice on how I should be configuring this and links to tutorials I should be reading to figure this out are most welcome!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hi there @jonVonBallstein,
I think that a VPC would drastically improve your security if your webserver was also part of the same VPC so that way people would hit the webserver only and then the webserver would connect to the database server via the VPC network.
However, your case is a bit different as you have your clients connecting to your database directly.
What I could suggest here is to maybe set up a VPN server as described in this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
Or use this 1-Click installation from the Marketplace:
https://marketplace.digitalocean.com/apps/openvpn-access-server
That way, you could lock down your database to the VPN IP address only. Then ask your colleagues to connect to the VPN first and then they will be able to connect to the database.
This would also be quite beneficial as their connections would be encrypted as well.
Hope that this helps! Regards, Bobby