在 Google 云中使用云代理连接 VM 和 PaaS 实例的安全性如何
How safe is it to use cloud proxy for connection between VM and Paas instance in Google cloud
据我所知,云代理在后台使用 public IP。那么使用云代理有多安全,后台进程是什么,如果我们在 google 云中使用 public IP 有多安全。
如果您使用基于 PaaS 的客户端应用程序,它很可能有一个临时 IP 地址。在这种情况下,根据源IP地址的范围限制访问可能是无效的。
在这种情况下,使用云 SQL 代理是最佳选择。与许多使用 public IP 地址的服务一样,Google 云代理通过加密保护 public 网络中的流量。代理客户端和代理服务器进程之间的流量通过使用 AES 密码加密的安全隧道传递。
除此之外,SQL 代理需要身份验证并使用 IAM 来限制对 SQL 实例的访问。
您可以在文档中找到更多信息:
Cloud SQL > Doc > MySQL > Connecting to Cloud SQL from external applications
Cloud SQL > Doc > MySQL > About the Cloud SQL Proxy:
The Cloud SQL Proxy provides secure access to your instances
without the need for authorized networks or for configuring SSL. The
proxy automatically encrypts traffic to and from the database
using TLS 1.2 with a 128-bit AES cipher; SSL certificates are used to
verify client and server identities.
The proxy uses a secure
tunnel to communicate with its companion process running on the SQL
server.
The proxy requires authentication. When you use a service
account to provide the credentials for the proxy, you must create it
with sufficient permissions: a role that includes the
cloudsql.instances.connect permission.
Cloud SQL > Doc > MySQL > Connecting from App Engine standard environment to Cloud SQL:
App Engine provides a mechanism that connects using the Cloud SQL
Proxy.
Once correctly configured, you can connect your service to
your Cloud SQL instance's unix domain socket using the format:
/cloudsql/INSTANCE_CONNECTION_NAME.
These connections are
automatically encrypted without any additional configuration.
此外,您可以配置您的系统,以便按照此处所述使用专用 IP:
据我所知,云代理在后台使用 public IP。那么使用云代理有多安全,后台进程是什么,如果我们在 google 云中使用 public IP 有多安全。
如果您使用基于 PaaS 的客户端应用程序,它很可能有一个临时 IP 地址。在这种情况下,根据源IP地址的范围限制访问可能是无效的。
在这种情况下,使用云 SQL 代理是最佳选择。与许多使用 public IP 地址的服务一样,Google 云代理通过加密保护 public 网络中的流量。代理客户端和代理服务器进程之间的流量通过使用 AES 密码加密的安全隧道传递。
除此之外,SQL 代理需要身份验证并使用 IAM 来限制对 SQL 实例的访问。
您可以在文档中找到更多信息:
Cloud SQL > Doc > MySQL > Connecting to Cloud SQL from external applications
Cloud SQL > Doc > MySQL > About the Cloud SQL Proxy:
The Cloud SQL Proxy provides secure access to your instances without the need for authorized networks or for configuring SSL. The proxy automatically encrypts traffic to and from the database using TLS 1.2 with a 128-bit AES cipher; SSL certificates are used to verify client and server identities.
The proxy uses a secure tunnel to communicate with its companion process running on the SQL server.
The proxy requires authentication. When you use a service account to provide the credentials for the proxy, you must create it with sufficient permissions: a role that includes thecloudsql.instances.connectpermission.
Cloud SQL > Doc > MySQL > Connecting from App Engine standard environment to Cloud SQL:
App Engine provides a mechanism that connects using the Cloud SQL Proxy.
Once correctly configured, you can connect your service to your Cloud SQL instance's unix domain socket using the format:/cloudsql/INSTANCE_CONNECTION_NAME.
These connections are automatically encrypted without any additional configuration.
此外,您可以配置您的系统,以便按照此处所述使用专用 IP: