# How to Secure MySQL Managed Database Clusters

MySQL is an open source, object-relational database built with speed and reliability in mind. Its large and active developer community has created many third-party applications, tools, and libraries that expand MySQL’s functionality.

Data in MySQL database clusters is encrypted at rest with LUKS (Linux Unified Key Setup) and in transit with SSL. However, there are additional steps you can take to ensure that your data is safe.

## Restrict Incoming Connections

You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect.

Typically, only application servers are allowed to connect to the database cluster. Users access the public-facing site, and the public-facing server authenticates and manages database connections in turn.

To implement these restrictions, add trusted sources, which define the resources or IP addresses allowed to connect to the database cluster.

## Add a Trusted Source Using the CLI

## How to Add a Trusted Source Using the DigitalOcean CLI

1. [Install `doctl`](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md), the official DigitalOcean CLI.
2. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with `doctl`.
3. Use the token to grant `doctl` access to your DigitalOcean account.

   ```shell
   doctl auth init
   ```
4. Finally, run `doctl databases firewalls append`. Basic usage looks like this, but you can [read the usage docs](https://docs.digitalocean.com/reference/doctl/reference/databases/firewalls/append/index.html.md) for more details:

   ```shell
   doctl databases firewalls append <database-cluster-id> --rule <type>:<value> [flags]
   ```

   The following example appends a firewall rule to a database cluster with the ID `ca9f591d-f38h-5555-a0ef-1c02d1d1e35` that allows any resources with the `example-tag` to access the database:

   ```shell
   doctl databases firewalls append ca9f591d-f38h-5555-a0ef-1c02d1d1e35 --rule tag:example-tag
   ```

## Add a Trusted Source Using the API

## How to Add or Remove a Trusted Source Using the DigitalOcean API

1. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with the API.
2. Send a PUT request to [`https://api.digitalocean.com/v2/databases/{database_cluster_uuid}/firewall`](https://docs.digitalocean.com/reference/api/digitalocean//index.html.md#operation/databases_update_firewall_rules).

### cURL

Using cURL:

```shell
curl -X PUT \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"rules": [{"type": "ip_addr","value": "192.168.1.1"},{"type": "droplet","value": "163973392"},{"type": "k8s","value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61"},{"type": "tag","value": "backend"}]}' \
  "https://api.digitalocean.com/v2/databases/9cc10173-e9ea-4176-9dbc-a4cee4c4ff30/firewall"
```

### Go

Using [Godo](https://github.com/digitalocean/godo), the official DigitalOcean API client for Go:

```go
import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    req := godo.DatabaseUpdateFirewallRulesRequest{
      Rules: []*godo.DatabaseFirewallRule{
        {
         Type:  "ip_addr",
         Value: "192.168.1.1",
         Description: "a development IP address",
       },
        {
         Type:  "droplet",
         Value: "163973392",
       },
        {
         Type:  "k8s",
         Value: "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61",
        },
      },
    }
    _, err := client.Databases.UpdateFirewallRules(ctx, dbID, &req)
}
```

### Python

Using [PyDo](https://github.com/digitalocean/pydo), the official DigitalOcean API client for Python:

```python
import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "rules": [
    {
      "type": "ip_addr",
      "value": "192.168.1.1",
      "description": "a development IP address",
    },
    {
      "type": "k8s",
      "value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61"
    },
    {
      "type": "droplet",
      "value": "163973392"
    },
    {
      "type": "tag",
      "value": "backend"
    }
  ]
}
update_resp = client.databases.update_firewall_rules(database_cluster_uuid="a7a8bas", body=req)
```

## Add a Trusted Source Using the Control Panel

To add trusted sources to restrict database access, go to the [**Databases** page](https://cloud.digitalocean.com/databases) and select the cluster you want to add trusted sources to. Click the **Network Access** tab, then click **Add Trusted Sources**.

![The Network Access page for an example cluster.](https://docs.digitalocean.com/screenshots/databases/cluster-network-access-page.06d2518937e34e2d8467690aada7622700aee404ca04d3e320921846b8efa475.png)

In the **Add Trusted Sources** dialog, choose one of the following options:

- **Enter specific IP addresses or CIDR notations**: Enter specific IP addresses or a CIDR range. Or click **My current IP address** to use the **Quick Add** option, which adds your machine’s current IP address.

![The Add Trusted Sources dialog with the option Enter specific IP addresses or CIDR notations selected, and an example CIDR range shown.](https://docs.digitalocean.com/screenshots/databases/add-trusted-sources-ips-cidr.1cadefc47997cf52f706696bce6d1896d72b199be88731adf86792abce98cc36.png)

- **Quick select Droplets, Kubernetes clusters, Apps, and tags**: Use the search to find a resource or click the dropdown menu and select a resource from the list.

![The Add Trusted Sources dialog with the option Quick select Droplets, Kubernetes clusters, Apps, and tags selected, and the Search or select a resource dropdown menu expanded.](https://docs.digitalocean.com/screenshots/databases/add-trusted-sources-quick-select.e3832bfc4b4ae8086ce188320c3819e6bdaa55b41ce8a85fd6e5c6308fcd07d1.png)

When finished, click **Add Trusted Sources**.

**Warning**: You currently cannot add IPv6 rules to a database cluster’s trusted sources.

## Use Encrypted Connections

By default, you must use SSL to transmit data because it prevents eavesdropping on administrative usernames and passwords as well as the data itself as it is transmitted. However, SSL doesn’t protect against man-in-the-middle (MITM) attacks or impersonation.

Learn more about [configuring MySQL to use encrypted connections](https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html).