Database posture management

Gemini in Databases helps you manage the security posture, data protection, and performance of your databases by proactively detecting common configuration issues and providing recommended fixes. These recommendations help you secure your databases by hardening network security, access management, data protection, and audit capabilities.

Gemini in Databases supports recommendations for the following Google Cloud database products:

Gemini in Databases updates recommendations once per day.

Database security recommendations

You can use the following security recommendations in Google Cloud databases:

  • Remove broad public access. Helps you detect instances that have public IP enabled and have the IP address range of 0.0.0.0/0 in authorized networks. Instances with a range of 0.0.0.0/0 in authorized networks accept connections from all internet IP addresses. For more information, see "Improve instance security by removing broad public IP ranges from authorized networks" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Require SSL for all connections. Detects instances that allow unencrypted connections by not requiring SSL/TLS for direct connections. Encryption helps ensure secure data transfer. For more information, see "Improve instance security by enforcing SSL/TLS encryption" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server, AlloyDB for PostgreSQL). (For AlloyDB, the recommender is in Preview.)
  • Rotate server certificate. Detects instances with server certificates that are about to expire within 30 days. If a server certificate for an instance is about to expire, clients using this certificate won't be able to securely connect to the instance. For more information, see "Improve instance security by rotating server certificates" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Enable database auditing. Detects instances that don't log both user connections and statements. Database auditing lets you monitor specific user actions in the database to help with security and compliance. For more information, see "Improve instance security by enabling database auditing" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server, AlloyDB for PostgreSQL). (For AlloyDB, the recommender is in Preview.)
  • Remove authorized networks. Detects instances that violate the organization policy constraints/sql.restrictAuthorizedNetworks enforced by your administrator. To reduce the security attack surface, this policy restricts adding authorized networks for direct database access. This policy violation occurs when authorized networks already exist on an instance when the policy constraint is enforced. For more information, see "Improve instance security by removing authorized networks" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Disable public IP. Detects instances that violate the organization policy constraints/sql.restrictPublicIp. To reduce the security attack surface, this policy restricts configuring public IP on the instance. This policy violation occurs when the public IP access already exists for the instance when the constraint is enforced. For more information, see "Improve instance security by disabling public IP" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Enable instance password policies. Detects instances that don't have an instance password policy enabled. Password policies help prevent the creation of weak passwords and help with compliance. For more information, see "Improve instance security by setting password policies" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL).

Data protection and performance recommendations

Gemini in Databases supports the following data protection and performance recommendations:

  • Enable automated backups. Detects instances that have no automated backups enabled. Enabling automated backups helps protect instances which are critical and prevent data loss. For more information, see "Prevent data loss for your instance by enabling automated backups" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Optimize instances for multiple out-of-memory (OOM) events. Detects instances that have a high number of OOM events within the last seven days. It provides recommendations on how to optimize such instances and improve performance. For more information, see "Optimize Cloud SQL for MySQL instances with high number of out-of-memory events" (Cloud SQL for MySQL).
  • Prevent data loss by increasing backup retention. Detects instances that are critical and have a risk of data loss because they are not retaining backups for long enough. If the instance is a production instance, has automated backups enabled, and has less than 21 retained backups, it is recommended to increase its backup retention. For more information, see "Prevent data loss for your instance by increasing backup retention" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud SQL for SQL Server).
  • Optimize queries with high memory usage. Detects Cloud SQL for PostgreSQL instances with queries terminated to prevent OOM errors in the past 24 hours. It provides recommendations on how to optimize such instances and improve performance. For more information, see "Optimize queries with high memory usage" (Cloud SQL for PostgreSQL).
  • Increase cluster storage quota. Detects AlloyDB for PostgreSQL production clusters which are at risk of hitting the storage quota. It analyzes certain storage-related metrics and computes the latest storage quota utilization by cluster. If the utilization is over a certain threshold, the cluster receives a recommendation to increase the storage quota. For more information, see "Increase cluster storage quota" (AlloyDB for PostgreSQL).
  • Optimize underprovisioned AlloyDB clusters. Detects clusters that have high CPU and memory utilization. It then provides recommendations for how to optimize the cluster. For more information, see "Optimize underprovisioned AlloyDB for PostgreSQL clusters" (AlloyDB for PostgreSQL).
  • Prevent transaction ID wraparound. Detects Cloud SQL for PostgreSQL instances that have potential transaction ID wraparound. If the transaction ID utilization percentage is greater than or equal to 80%, it's recommended to take actions to avoid transaction ID wraparound. For more information, see "Prevent transaction ID wraparound" (Cloud SQL for PostgreSQL).
  • Upgrade to Cloud SQL Enterprise Plus edition. Detects instances that can be upgraded from Enterprise edition to Enterprise Plus edition. Enterprise Plus edition enables near-zero downtime and data cache that improves read performance. For more information, see "Improve performance with Cloud SQL Enterprise Plus edition" (Cloud SQL for MySQL, Cloud SQL for PostgreSQL).