Secure GCP Database Access with an SSH Proxy

The request to connect a secure GCP database hits. You have production data behind a firewall. You cannot leak secrets. You cannot open the port to the world. You need a controlled, auditable path in.

GCP offers database access security through an SSH access proxy that becomes your single point of entry. Instead of exposing your PostgreSQL or MySQL host directly, you route traffic through an SSH tunnel. The proxy authenticates you, enforces IAM policies, and logs every session. Attackers never see the database’s public IP, because it doesn’t have one.

Here’s how the architecture works. You place your database in a private subnet inside a VPC. You deploy a bastion host or use Cloud SQL’s built‑in Cloud SQL Auth Proxy. The SSH access proxy listens for connections, checks your identity through GCP IAM, and opens an encrypted tunnel to the database. You can bind the tunnel locally, so your application connects as if the database were on localhost.

To lock this down:

• Disable public IP for the database.
• Enforce IAM authentication for proxy access.
• Require SSH keys managed through Cloud IAM.
• Use firewall rules to allow access only from the proxy host.
• Enable query logging for audit trails.

This workflow prevents direct database exposure. While other methods rely on VPNs or static whitelists, the SSH access proxy grants just‑in‑time access with complete logging. It scales with multiple users without maintaining a flood of network rules.

You can test this pattern fast. hoop.dev lets you spin up secure SSH access to private resources, including GCP databases, without writing custom proxy scripts. See it live in minutes—connect your database, lock down the IP, and route every query through a secure tunnel. Try it now on hoop.dev.