This page describes how Cloud SQL uses self-managed SSL/TLS certificates to securely connect to Cloud SQL instances.
Cloud SQL supports connecting to an instance using the Transport Layer Security (SSL/TLS) protocol. Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but might not be encrypted by default. If you connect to an instance using its public IP address, use SSL/TLS certificates, so the data is secure during transmission. SSL/TLS is the standard protocol for encryption of data sent over the internet. If your data isn't encrypted, anyone can examine your packets and read confidential information.
A server Certificate Authority (CA) certificate is required in SSL connections. Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You can also manually create a new one.
Enforcing SSL/TLS encryption
Setting up your Cloud SQL instance to accept SSL/TLS connections enables SSL/TLS connections for the instance, but unsecure connections are still accepted. If you do not enforce SSL/TLS for all connections, any issue with your SSL/TLS configuration can cause all connections to default silently to unencrypted. If you do not require SSL/TLS for all connections, clients without a valid certificate are allowed to connect. For this reason, if you are accessing your instance using public IP, it is strongly recommended that you enforce SSL for all connections.
Authentication using authorized networks
In this case, SQL Server clients are only authorized to connect if their IP
addresses are added to this list. The IP addresses can limited to a single
endpoint or consist of a range in CIDR format. For example:
SSL certificate expiry
SSL certificates associated with Cloud SQL instances come with an expiry period of 10 years. On expiry, perform SSL certificate rotation. You can also reset the SSL configuration of your Cloud SQL instance at any time.
- Configure SSL/TLS on your Cloud SQL instance.
- Learn more about how SQLServer uses encrypted connections.
- Manage SSL/TLS on your Cloud SQL instance.