Google Cloud SQL instances are by default not exposed to the Internet. One of the connection methods supported is Cloud SQL Proxy, which is able to map the Cloud SQL instance to a local port (say, localhost:3306
) or a UNIX socket.
It is authenticating with a service account, which is in practise a public/private key pair (be it as a file or attached to a Compute Engine instance via metadata).
My suspicion is that it works similarly to stunnel, the server exposes an SSL service that tunnels the mysql protocol and the client authenticates with a client certificate. Does anyone have more information on how this protocol works?
I would like to understand which connections are made, how are my keys used, which encryption methods are used and, in general, which security principles are protecting my connection.
Can I reuse the same service account credentials to authenticate connections to my own databases (say, Redis)? If so, how?
Thanks!