Note: this does not apply to Google BigQuery or CloudSpanner connections
It is usually not a good idea to expose a production database (or any database with real data) to the internet.
There are two main approaches, either of which (ideally both) when employed, will guarantee that allowing Cluvio to connect keeps your data and systems secure:
- Use an SSH tunnel, which proxies the DB communication via your server, and by using a private key from Cluvio, only the Cluvio backend can ever get access. See more details in Connecting via SSH tunnel
- Restrict your firewall to only allow connections to the Database IP and port from the Zenline IP addresses. All of our servers would use one of these 2 IPs: 52.58.9.34 or 52.58.26.238. If you run on AWS, add these 2 IPs to your Security Group that controls access to the Database (RDS, Redshift, or your own on an EC2 instance).
Additionally, you may want to create a read-only user in the database to avoid inadvertent changes to your data.