The AlloyDB enforce SSL mode recommender helps you detect instances which are critical and have a risk of data loss.
This page describes the AlloyDB enforce SSL mode recommender, how this recommender works, and how to use it.
The AlloyDB enforce SSL mode recommender analyzes instance metadata. If the instance is a production instance and does not enforce encryption requirements for direct connections, it is recommended to enable SSL mode.
Recommendations are generated daily.
Before you begin
Before you can view recommendations and insights, do the following:
Ensure that you enable the Recommender API.
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles.
Tasks Roles View recommendations recommender.alloydbViewerApply recommendations recommender.alloydbAdminoralloydb.adminSee Grant access to other users for more information.
List the recommendations
You can list the enforce SSL mode recommendations
using the Google Cloud console, gcloud CLI, or the Recommender API.
Console
In the Google Cloud console, go to the Clusters page.
For more information, see Find recommendations with Recommendation Hub.
In the Security card, click Allows direct unencrypted connections.
A list of clusters with instances to which the Allows direct unencrypted connections recommendation applies is displayed.
gcloud CLI
To list the enforce SSL mode recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \ --project=PROJECT_ID \ --location=LOCATION \ --recommender=google.alloydb.instance.SecurityRecommender \ --filter=recommenderSubtype=REQUIRE_SSL
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your instances are located, such asus-central1.
API
To list enforce SSL mode recommendations using the Recommendations API, call the
recommendations.list
method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REQUIRE_SSL
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your istances are located, such asus-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enforcing SSL mode using the Google Cloud console,
gcloud CLI, or the Recommender API.
To view insights and detailed recommendations, follow these steps:
Console
On the Clusters page, click the Allows direct unencrypted connections recommendation for an instance in the Issues column. The recommendation panel appears, which contains insights and detailed recommendations.
gcloud CLI
Run the gcloud recommender insights list command as follows:
gcloud recommender insights list \ --project=PROJECT_ID \ --location=LOCATION \ --insight-type=google.alloydb.instance.SecurityInsight \ --filter=insightSubtype=SSL_NOT_REQUIRED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
API
Call the insights.list method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=SSL_NOT_REQUIRED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
Apply the recommendation
Evaluate the recommendation carefully and do any of the following:
Console
To implement the recommendation, enforce SSL/TLS mode on your instance.
gcloud CLI
To implement the recommendation, enforce SSL/TLS mode on your instance.