# Accessing a Private GCP Database via a Jumpbox Accessing a private **Cloud SQL** instance is a common challenge in cloud-based architectures. Exposing your database directly to the internet poses significant security risks — which is why using a **jumpbox (bastion host)** within a private subnet is an established best practice. This guide walks you through **configuring and using an SSH tunnel via a jumpbox** to connect to your private Cloud SQL instance on **Google Cloud**.\ By following these steps, you’ll be able to **securely manage your database** while keeping it **isolated and protected within your private network**. 1. In the **GCP Console**, navigate to **Compute Engine → VM instances**, then click **“Create Instance.”**

2. You can use the **default machine type (2 vCPU, 4 GB RAM)** — there’s **no need to modify the default configuration**, as it provides sufficient resources for the jumpbox.

3. For each client that requires access to the Jumpbox, **add their public SSH keys** under the **Managed Access** section in the **Security** tab. Always **add SSH keys through the GCP Console or CLI** — **do not edit** the `.ssh/authorized_keys` file directly on the VM.\ GCP periodically overwrites this file automatically, so manual edits will be lost.

4. Click **“Create”** to launch the instance. 5. Connect to your Jumpbox using SSH.\ The **SSH username** corresponds to the **user portion of your SSH key**. For example, if your public key looks like: ``` ssh-rsa AAAAB3... hello@example.com ``` then connect using: ```bash ssh hello@ ``` The **public IP address** (also called the **External IP** in GCP) is visible on the **VM Instances** page in the **Compute Engine** section.

6. In the **Cloud SQL** console, open your database configuration page to find the **Private IP address** listed on the main overview tab. If a private IP hasn’t been allocated yet, **edit the instance** and enable **Private Service Access**.\ The setup is straightforward — you can safely proceed with the **default suggested configuration**.

7. From your **Jumpbox VM**, verify that the database is reachable by running the following commands: ```bash # Install telnet if not already installed sudo apt install telnet -y # Test the connection to your database telnet ``` **Database port reference:** * PostgreSQL → `5432` * MySQL → `3306` * SQL Server → `1433` **Expected output:** ``` hello@jumpbox:~$ telnet Trying ... Connected to . Escape character is '^]'. ``` If the command only shows: ``` Trying ... ``` and does **not** connect, it means the database is **unreachable**.\ Double-check the following: * You’re using the **correct private IP** and **port**. * The **Jumpbox subnet** has a valid **route** to the **database subnet**. * **Firewall or security group rules** allow inbound traffic from the Jumpbox. 8. To strengthen security, **limit SSH access to your Jumpbox** by allowing only trusted IP addresses. Go to the **Firewall Policies** section in the **GCP Console**, and **create a new firewall rule** that permits inbound SSH traffic **only from your approved IP list**.

9. Select the **network (VPC)** where your **Jumpbox instance** is running to apply the firewall rule to the correct environment.

10. To grant a client access to your Jumpbox, **whitelist their public IP** in your firewall rule.\ Configure the rule with the following parameters: * **Priority:** `0` (highest priority) * **Direction of traffic:** `Ingress` * **Action on match:** `Allow` * **Source IPv4 ranges:** `/32` * **Destination IPv4 ranges:** `/32` This ensures that only the specified client IP can initiate SSH connections to your Jumpbox.

11. Allow access **exclusively through SSH** by whitelisting **port 22**, the default SSH port.\ All other ports and protocols should be **explicitly denied** to prevent unauthorized access. Once these settings are configured, click **“Create”** to finalize the firewall rule.

12. Now that access from the client’s public IP is allowed, you should **block all other incoming traffic** to the Jumpbox. Create a **new firewall rule** using the **same network (VPC)** as in the previous step, and configure it as follows: * **Priority:** `1` (lower priority than the allow rule) * **Action:** Deny all inbound traffic from any other IP address This ensures that **only the whitelisted client** can connect to the Jumpbox, while all other sources are **securely blocked**.

13. Set the **Source IPv4 range** to `0.0.0.0/0` to **deny access from all IP addresses**.\ Ensure that **all protocols and ports** are **disabled** to completely block unwanted traffic. Once configured, click **“Create”** to finalize the firewall rule.

14. Next, confirm that the Jumpbox is **reachable only from the whitelisted client(s)**.\ Try connecting via SSH from any other machine — the connection should **time out**, indicating that access is correctly restricted to authorized IPs only. #### 🎉 Congratulations! You’ve successfully allowed an **external client** to **securely access your private Cloud SQL database** through the Jumpbox. If you need any assistance or have questions, feel free to reach out at — our team is always happy to help! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stacksync.com/two-way-sync/connectors/setup-options/ssh-tunneling/accessing-a-private-gcp-database-via-a-jumpbox.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.