Question
How to use VPC to improve MySQL database security?
I just watched the Digital Ocean webinar on VPCs on youTube. I found it really interesting and I was wondering how to use this to improve security on a system I maintain for a local social enterprise? I’m going to describe the system below as it will clarify the question:
There are 4 people working for the social enterprise who use a Java desktop application to connect to a remote MySQL database, currently hosted on a digital ocean droplet. The java application uses JDBC to talk to the database. The database currently has to accept connections from any IP because the staff are working remotely and sometimes work on the move. The security policy requires 25+ char characters and that’s probably the main line of defense against DB brute force attacks.
After watching the webinar I was thinking of moving the MySQL database onto a droplet in a private network within a VPC with another droplet as a public gateway as described in the How to Configure a Droplet as a VPC Gateway tutorial. The gateway would handle incoming DB requests and forward them to the DB server. This would be done to shield the DB from the typical types of opportunistic attacks the server database logs show are attempted on the database. However, in considering this I find myself asking is it really a security improvement since the gateway machine would just be forwarding requests to the DB in the VPC, so its not really added security aside from the fact that the DB is no longer directly available on a public IP. But I might be missing something? If so please tell me what.
So my question is, how can I use the VPC to improve the databases security?
How should the setup be configured? I was reading the Digital Ocean Tutorial
How To Configure SSL/TLS for MySQL on Ubuntu 18.04 and was wondering if the DB server should be configured as the DB server in the tutorial and the gateway droplet as the client in the tutorial? OR is there another tutorial I should be following for figuring this out? I don’t quite get how the gateway server can distinguish between incoming traffic from legitimate users with the java desktop app and traffic from attackers? Advice on how I should be configuring this and links to tutorials I should be reading to figure this out are most welcome!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×