Note: This document does not apply to Google BigQuery or CloudSpanner.
It is usually not a good idea to expose a production database (or any database with real data) to the internet.
There are two main approaches, either of which (ideally both) when employed, will guarantee that allowing Cluvio to connect keeps your data and systems secure:
- Using an SSH tunnel, which proxies the communication with the database via your server. By allowing access only for Cluvio's public key, only the Cluvio backend can access your server. See more details in Connecting via SSH tunnel.
- Restricting your firewall to only allow connections to your database IP and port from the Cluvio IP addresses. All of our servers would use one of these two IPs: 220.127.116.11 or 18.104.22.168. E.g. if you run on AWS, add these two IPs to your Security Group that guards access to the database (RDS, Redshift, or your own EC2 instance).
Additionally, you may want to create a read-only user in the database to avoid inadvertent changes to your data.