Note: this does not apply to Google BigQuery or CloudSpanner connections
It is usually not a good idea to expose a production database (or any database with real data) to the internet.
There are 2 main approaches, either of which (ideally both), when employed, will guarantee that allowing Cluvio to connect keeps your data and systems secure:
- Use ssh tunnel, which proxies the DB communication via your server and by using a private key from Cluvio only the Zenline backend can ever get an access. This is described in detail in Connecting via SSH tunnel
- Restrict your firewall to only allow connections to the Database IP and port from the Zenline IP addresses. All of our servers would use one of these 2 IPs: 188.8.131.52 or 184.108.40.206. If you run on AWS, this would be accomplished by adding these 2 IPs to your Security Group that controls access to the Database (RDS, Redshift or your own on EC2).
Additionally, you may want to create a read-only user in the database to avoid inadvertent changes to your data.