Note: This document does not apply to Google BigQuery or CloudSpanner.
It is usually not a good idea to expose a production database (or any database with real data) to the internet. There are two main approaches, either of which (ideally both) can be employed to guarantee that your database access remains secure:
- Using an SSH tunnel which proxies the communication from Cluvio to the database via your server. By restricting access to Cluvio's SSH public key, only the Cluvio servers can access your database through the tunnel. See Connecting through an SSH tunnel.
- Restricting your firewall to only allow connections to your database IP and port from static Cluvio server IP addresses. All of our servers use one of these two public IPs:
If you run on AWS, you can add these two IPs to your Security Group that guards access to the database (e.g. RDS, Redshift, or your own EC2 instance).
Additionally, you may want to create a read-only user in the database for use by Cluvio to avoid inadvertent changes to your data.