Improve instance security by enforcing SSL/TLS encryption Stay organized with collections Save and categorize content based on your preferences.
This page describes how to view and implement recommendations about configuringinstance settings to enforce SSL/TLS encryption requirements for direct connections. Encryption helps ensure secure data transfer. Thisrecommender is calledRequire SSL.
Every day, this recommender proactively detects instances that don'tenforce encryption requirements for direct connections and provides insights and recommendations to improveyour instance security. You can view insights and detailed recommendations aboutthese instances by using the Google Cloud console,gcloud CLI, or theRecommender API.
Before you begin
Ensure that youenable the Recommender API.
Required roles and permissions
To get the permissions to view and work with insights and recommendations, ensure that you have the requiredIdentity and Access Management (IAM) roles.
Tasks | Roles |
---|---|
View recommendations | recommender.cloudsqlViewer orcloudsql.admin . |
Apply recommendations | cloudsql.editor orcloudsql.admin . |
List the recommendations
To list the recommendations, follow these steps:
Console
To list recommendations about instance security, follow these steps:
Go to theCloud SQL Instances page.
View theIssues column in the instance table.
Alternatively, follow these steps:
Go to theRecommendation Hub.
For more information, seeExploring recommendations.
In theAll recommendations card, clickSecurity.
gcloud
Run thegcloud recommender recommendations list
command as follows:
gcloud recommender recommendations list \--project=PROJECT_ID \--location=LOCATION \--recommender=google.cloudsql.instance.SecurityRecommender \--filter=recommenderSubtype=REQUIRE_SSL
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
API
Call therecommendations.list
method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REQUIRE_SSL
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1
.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
After listing the recommendations, click a recommendation.The recommendation panel appears, which contains insights and detailed recommendations.
gcloud
Run thegcloud recommender insights list
command as follows:
gcloud recommender insights list \--project=PROJECT_ID \--location=LOCATION \--insight-type=google.cloudsql.instance.SecurityInsight \--filter=insightSubtype=SSL_NOT_REQUIRED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1
.
API
Call theinsights.list
method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=SSL_NOT_REQUIRED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1
.
Apply the recommendation
Console
To implement the recommendation, clickManage SSL encryption andenforce SSL/TLS encryptionon your instance.
gcloud
To implement the recommendation,enforce SSL/TLS encryptionon your instance.
API
To implement the recommendation,enforce SSL/TLS encryptionon your instance.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.