GCP Logging - Identify Unusual Traffic
I recently noticed some unusual traffic on my Google Cloud SQL instance.
Can you please help me identify the source of this traffic?(Attached image)
Interestingly, I get around 40 Hits(All 'password authentication failed') in a 15 minute span everyday and then nothing. The exact log does not contain any IP or other source information so I am curious if there was another way I could find info on the source.
P.S It is not due to anything I have scheduled/automated.
Have you configured Cloud SQL instance to have a public IPv4 address? if so the connection can be using:
- the public IP and coming from the adresses or the ranges you configured in
Cloud SQL Instances > Overview > Connections > Authorized networks - the Cloud SQL Auth Proxy but the it must has the at least the
cloudsql.instances.connectpermission
If only the private IP is configured on your instance, you can only connect from within the same network as your instance (so it's less worrying).
Unfortunately the audit logs for "cloudsql.instances.connect" that can show the ip address of the caller, shows only when the Cloud SQL Auth Proxy
- has the permission mentioned above and succeeds to autneticate
- dont have the permission and show the
Not authorized to access resourcelog message and it's not your case