Note: This document does not apply to Google BigQuery or CloudSpanner.
It is usually not a good idea to expose a production database (or any database with real data) to the internet. There are two main approaches, either of which (ideally both) when employed, will guarantee that allowing Cluvio to connect to your database keeps your data and systems secure:
- Using an SSH tunnel which proxies the communication with the database via your server. By allowing access only for Cluvio's public key, only the Cluvio servers can access your database. More details in Connecting through an SSH tunnel.
- Restricting your firewall to only allow connections to your database IP and port from the Cluvio server IP addresses. All of our servers use one of these two public IPs:
If you run on AWS, you can add these two IPs to your Security Group that guards access to the database (RDS, Redshift, or your own EC2 instance).
Additionally, you may want to create a read-only user in the database to avoid inadvertent changes to your data.