Step 7. Configure Security Settings

[This step applies only if you have selected the Restore to a new location, or with different settings option at the Restore Mode step of the wizard]

At the Security step of the wizard, choose whether you want to connect to the restored Cloud SQL instance using SSL only, and choose whether you want the instance data to be encrypted with Google Cloud Key Management Service (Cloud KMS) customer-managed encryption key (CMEK). To do that, select the necessary Cloud SQL instance from the list and do the following:

  1. Click Security and in the Security Settings window:
  • Select Allow only secure connections (TLS) if you want to connect to the restored Cloud SQL instance using TLS.

Since TLS connections use digital certificates to provide encrypted access, make sure you have obtained a Certificate Authority (CA) certificate, a client public key certificate, and a client private key before you connect to the restored instance using SSL. For more information, see Google Cloud documentation.

  • Select Allow any connections if you do not want to connect to the restored Cloud SQL instance using TLS.
  1. Click Encryption and in the Security Settings window:
  • Select the Preserve the original encryption settings option if you do not want to encrypt persistent disks or want to apply the existing encryption scheme.

Note

The Preserve the original encryption settings option is disabled if the encryption key is not available in the region where the Cloud SQL instance will be restored.

  • Select the Use the following encryption key option if you want to encrypt persistent disks with customer-managed encryption key (CMEK). Then, select the necessary CMEK from the drop-down list.

For a CMEK to be displayed in the list of available encryption keys, it must be stored in the region selected at step 4 of the wizard.

SQL restore - Security settings