Network Security for Databases
Database Security
Chapter 4 · Network Security for Databases
Chapter 1's warning box described a wave of ransomware attacks against databases exposed directly to the internet — no exploit, no injection, just a reachable port with nothing guarding it. This chapter is the deep dive on exactly that failure mode: making sure the network itself never gives an attacker a path to the database in the first place.
Binding to Localhost / Private Networks Only
A database's own configuration controls which network interfaces it listens on. Binding to 127.0.0.1 (localhost only) or a private network address means the database is physically unreachable from the public internet, regardless of any firewall — there's no route to it at all from outside.
When the application and the database run on genuinely separate machines, "localhost only" isn't an option — bind instead to the private network interface (a VPC-internal IP) that only other machines on that same private network can reach, never a public IP.
Firewall Rules
Binding to a private interface handles reachability from the public internet — a firewall handles reachability from everything else, including other machines on the same private network that still shouldn't have a path to the database port. The rule to apply: allowlist only the specific hosts (application servers, a bastion host) that genuinely need to connect, and deny everything else by default.
VPN & Bastion Host Access Patterns
Developers and DBAs still legitimately need occasional direct access — but that doesn't mean opening the database port itself to their laptops. The standard pattern: route human access through a VPN (the vpn1 course covers setup) or a bastion/jump host — a single, tightly monitored server that itself is allowed to reach the database, which a person tunnels through via SSH.
The database only ever needs to trust the bastion host's own IP in its firewall rules — individual developers' laptops, on changing IPs from home or a coffee shop, never need direct network access at all.
Never Expose a DB Port Directly to the Public Internet
Every rule above serves one central conclusion: a database port reachable from 0.0.0.0/0 (anywhere on the internet) is a mistake, full stop, regardless of whether authentication is enabled. It's not a matter of "probably fine since there's a password" — it's an unnecessary, entirely avoidable exposure of a valuable target to every scanner on the internet.
| Public-Facing DB Port | Private Network + Bastion | |
|---|---|---|
| Who can even attempt to connect | anyone on the internet | only the application server(s) and the bastion host |
| Discovered by automated scanners? | routinely, often within minutes to hours | never — there's no public route to find |
| A leaked/weak password's impact | immediately exploitable by anyone who finds the port | useless without also being on the private network or through the bastion |
0.0.0.0/0, even briefly during setup or testing, gets discovered far faster than most people expect — often before anyone even finishes configuring it. Chapter 1's ransomware example is the second half of this exact story: the scanner finds the open port first; whether authentication was ever properly configured is what determines what happens next. This chapter's job is making sure the first half — the port even being findable — never happens at all.
Hands-On Exercises
Explain the difference between binding a database to 127.0.0.1, binding it to a private network IP, and binding it to 0.0.0.0. Which of these, on its own, makes a database reachable from the public internet?
A developer wants occasional direct access to a production database for debugging. Describe the bastion-host access pattern that lets them do this without ever opening the database's port to the public internet.
📄 View solutionA teammate argues "our database has a strong password, so exposing the port publicly for convenience is fine." Using this chapter's material, explain what's wrong with that reasoning.
📄 View solutionChapter 4 Quick Reference
- Bind address controls which network interfaces the database listens on at all —
127.0.0.1(localhost) or a private IP is safe;0.0.0.0without a firewall is not - Firewall rules allowlist only the specific hosts that genuinely need to connect — deny by default
- VPN or bastion host access lets humans reach the database without ever opening its port directly — tunnel via SSH (
ssh -L, per the SSH course'sremote_lesson_05) or a VPN (vpn1course) - A database port reachable from anywhere on the internet is a mistake regardless of password strength — automated scanners find exposed ports within minutes to hours
- Configure network security from first deployment — "restrict it later" reliably becomes permanent, the same as Chapter 2's shared-account shortcut
- Next chapter: Encryption at Rest — full-disk encryption, transparent data encryption (TDE), column-level encryption, key management basics