Improve instance security by enforcing SSL or TLS encryption

The AlloyDB enforce SSL mode recommender helps you detect instances which are critical and have a risk of data loss.

This page describes the AlloyDB enforce SSL mode recommender, how this recommender works, and how to use it.

The AlloyDB enforce SSL mode recommender analyzes instance metadata. If the instance is a production instance and does not enforce encryption requirements for direct connections, it is recommended to enable SSL mode.

Recommendations are generated daily.

Before you begin

Before you can view recommendations and insights, do the following:

List the recommendations

You can list the enforce SSL mode recommendations using the Google Cloud console, gcloud CLI, or the Recommender API.

Console

  1. In the Google Cloud console, go to the Clusters page.

    Go to Clusters

    For more information, see Exploring recommendations.

  2. In the Security card, click Allows direct unencrypted connections.

    A list of clusters with instances to which the Allows direct unencrypted connections recommendation applies is displayed.

gcloud CLI

To list the enforce SSL mode recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:

gcloud recommender recommendations list \
--project=PROJECT_ID \
--location=LOCATION \
--recommender=google.alloydb.instance.SecurityRecommender \
--filter=recommenderSubtype=REQUIRE_SSL

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such as us-central1.

API

To list enforce SSL mode recommendations using the Recommendations API, call the recommendations.list method as follows:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REQUIRE_SSL

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your istances are located, such as us-central1.

View insights and detailed recommendations

You can view insights and detailed recommendations about instances that require enforcing SSL mode using the Google Cloud console, gcloud CLI, or the Recommender API.

To view insights and detailed recommendations, follow these steps:

Console

On the Clusters page, click the Allows direct unencrypted connections recommendation for an instance in the Issues column. The recommendation panel appears, which contains insights and detailed recommendations.

gcloud CLI

Run the gcloud recommender insights list command as follows:


gcloud recommender insights list \
--project=PROJECT_ID \
--location=LOCATION \
--insight-type=google.alloydb.instance.SecurityInsight \
--filter=insightSubtype=SSL_NOT_REQUIRED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION : A region where your instances are located, such as us-central1.

API

Call the insights.list method as follows:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=SSL_NOT_REQUIRED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION : A region where your instances are located, such as us-central1.

Apply the recommendation

Evaluate the recommendation carefully and do any of the following:

Console

To implement the recommendation, enforce SSL/TLS mode on your instance.

gcloud CLI

To implement the recommendation, enforce SSL/TLS mode on your instance.

What's next