How to use VPC to improve MySQL database security?

Posted August 11, 2020 1.3k views

I just watched the Digital Ocean webinar on VPCs on youTube. I found it really interesting and I was wondering how to use this to improve security on a system I maintain for a local social enterprise? I’m going to describe the system below as it will clarify the question:

There are 4 people working for the social enterprise who use a Java desktop application to connect to a remote MySQL database, currently hosted on a digital ocean droplet. The java application uses JDBC to talk to the database. The database currently has to accept connections from any IP because the staff are working remotely and sometimes work on the move. The security policy requires 25+ char characters and that’s probably the main line of defense against DB brute force attacks.

After watching the webinar I was thinking of moving the MySQL database onto a droplet in a private network within a VPC with another droplet as a public gateway as described in the How to Configure a Droplet as a VPC Gateway tutorial. The gateway would handle incoming DB requests and forward them to the DB server. This would be done to shield the DB from the typical types of opportunistic attacks the server database logs show are attempted on the database. However, in considering this I find myself asking is it really a security improvement since the gateway machine would just be forwarding requests to the DB in the VPC, so its not really added security aside from the fact that the DB is no longer directly available on a public IP. But I might be missing something? If so please tell me what.

So my question is, how can I use the VPC to improve the databases security?
How should the setup be configured? I was reading the Digital Ocean Tutorial
How To Configure SSL/TLS for MySQL on Ubuntu 18.04 and was wondering if the DB server should be configured as the DB server in the tutorial and the gateway droplet as the client in the tutorial? OR is there another tutorial I should be following for figuring this out? I don’t quite get how the gateway server can distinguish between incoming traffic from legitimate users with the java desktop app and traffic from attackers? Advice on how I should be configuring this and links to tutorials I should be reading to figure this out are most welcome!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Hi there @jonVonBallstein,

I think that a VPC would drastically improve your security if your webserver was also part of the same VPC so that way people would hit the webserver only and then the webserver would connect to the database server via the VPC network.

However, your case is a bit different as you have your clients connecting to your database directly.

What I could suggest here is to maybe set up a VPN server as described in this tutorial:

Or use this 1-Click installation from the Marketplace:

That way, you could lock down your database to the VPN IP address only. Then ask your colleagues to connect to the VPN first and then they will be able to connect to the database.

This would also be quite beneficial as their connections would be encrypted as well.

Hope that this helps!

by Justin Ellingwood
Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse...
  • Thanks @bobbyiliev for the answer, its very helpful. So, I’m just going to state what my understanding of what you said so you can tell me if I’ve got it or not:

    If use OpenVPN, the VPN would also act at the gateway server to the VPC. So client machines open the OpenVPN connection and in doing that they’re then on the OpenVPN Droplet’s IP and are therefore also on the edge device for the VPC. Then they’d use their java application as normal and, because their requests are coming from the IP of the OpenVPN machine, I configure the MySQL server on an a private droplet in the VPC to only accept requests from the OpenVPN server’s IP. So then in the Java application I set the IP of the MySQL server to be the private IP of the MySQL server inside the VPC, and everything should work fine with much better security. Does that sound correct?

    Also, I noticed you mentioned a web sever. I know many databases for web applications use a RESTful architecture so the client never talks directly to the DB. The Java desktop app is quite a big bit of software so changing it to use REST would be a big bit of work, but is this something I should strive for long term? Or, if I take the measures above and set up the DB accounts with appropriate restrictions, is there much security gain in modifying it to have REST architecture, especially given its not a web app, but rather a desktop app?

    Thanks for your Help. I look forward to trying to implement the method, if I’ve understood it correctly. :)



    • Hi there @jonVonBallstein,

      Yes as you have a desktop app, what you could do is set up your VPN server on a Droplet, and then ask your colleagues to download a VPN client and connect to the VPN server.

      That way your colleague’s public IP addresses would be set to the VPN server IP.

      Then you can use lockdown the Database cluster to be only accessible via that public IP.

      Of course, as you mentioned in the long run you could plan of rebuilding the app of being a web-based application but for the time being I believe that using a VPN would increase your current security.

      Hope that this helps!