Hey there! Let's break down your two requirements and share practical, actionable solutions tailored to your needs:

To make your database accessible to other networks, follow these key steps (I'll use common databases like MySQL/PostgreSQL as examples):

• Configure database to listen for remote connections

  • For MySQL: Edit your my.cnf (or my.ini on Windows) and set bind-address = 0.0.0.0 to allow connections from any IP. Restart the MySQL service after saving changes.
  • For PostgreSQL: Modify postgresql.conf and set listen_addresses = '*', then restart the PostgreSQL service.

• Update firewall rules
  Open the database's default port (e.g., 3306 for MySQL, 5432 for PostgreSQL) on your server's firewall. If you're using a cloud provider (AWS/Azure/GCP), don't forget to update the security group rules to allow inbound traffic on that port from your target IP ranges.

• Grant remote access permissions to database users

  • MySQL: Run this command to allow a user to connect from any IP (replace placeholders with your details):

    GRANT ALL PRIVILEGES ON your_database.* TO 'your_user'@'%' IDENTIFIED BY 'your_strong_password';
    FLUSH PRIVILEGES;
    

    Note: Replace % with a specific IP range (e.g., 192.168.1.0/24) for better security.
  • PostgreSQL: Edit pg_hba.conf to add a line like:

    host    your_database    your_user    0.0.0.0/0    scram-sha-256
    

    Then reload PostgreSQL with pg_ctl reload.

• Critical security reminders

  • Avoid using default ports; switch to a non-standard port (e.g., 3307 instead of 3306) to reduce brute-force attacks.
  • Enable SSL encryption for database connections to prevent data interception.
  • Never use weak passwords; implement multi-factor authentication if your database supports it.

If you want to avoid VPNs and enable on-demand access for specific apps or users, here are three robust solutions that support full-duplex connections (perfect for stream processing scenarios):

Option 1: Self-Hosted Reverse Proxy Tunnel (FRP) #

FRP (Fast Reverse Proxy) is a lightweight tool that lets you establish a secure tunnel between your private server and a cloud server. It supports full-duplex communication and is easy to deploy:

• Setup steps

  1. Deploy FRP server (frps) on your cloud server:
     Create a frps.ini file with basic config:

     [common]
     bind_port = 7000  # Main FRP communication port
     token = your_secure_token  # Shared secret for authentication
     

     Start the server with ./frps -c frps.ini.

  2. Install FRP client (frpc) on your private server (where the database is):
     Create a frpc.ini file to map the database port to the cloud server:

     [common]
     server_addr = your_cloud_server_ip
     server_port = 7000
     token = your_secure_token
     
     [database_tunnel]
     type = tcp
     local_ip = 127.0.0.1
     local_port = 3306  # Your database port
     remote_port = 3306  # Port on cloud server to expose
     

     Start the client with ./frpc -c frpc.ini.

  3. Now, your clients can connect to the database via your_cloud_server_ip:3306, and FRP handles the full-duplex traffic between the cloud and private server.

Option 2: Custom WebSocket-Based Tunnel Application #

If you need more customization (e.g., integrating with your stream processing workflow), build a simple WebSocket tunnel to forward database traffic. WebSocket natively supports full-duplex communication:

• High-level implementation

  1. On your cloud server, run a WebSocket server that listens for client connections and forwards traffic to the tunnel endpoint.
  2. On your private server, deploy a WebSocket client that connects to the cloud server and relays database traffic between the local database and the cloud server.
  3. Your end-user apps connect to the cloud server's WebSocket endpoint, which routes traffic to the private database via the tunnel.

  You can build this using frameworks like Node.js (with ws library) or Python (with websockets library) in a few hours, giving you full control over authentication and access rules.

Option 3: Cloud Provider Hybrid Connection Services #

For enterprise-scale scenarios, cloud providers offer managed services to connect private networks to the cloud without VPNs:

• AWS: AWS Direct Connect (dedicated physical connection) or AWS Transit Gateway with VPN alternatives.
• Azure: Azure ExpressRoute or Azure Private Link.
• GCP: Cloud Interconnect or Private Service Connect.

These services provide low-latency, full-duplex connections but come with higher costs and setup complexity compared to FRP or custom tunnels.

Key Security Tips for All Solutions #

• Always encrypt tunnel traffic (FRP supports TLS; WebSocket can use WSS; cloud services offer encryption by default).
• Implement strict access control: Only allow specific client IPs or app credentials to connect to the cloud server's exposed database port.
• Monitor tunnel traffic to detect unusual activity (e.g., unexpected connection attempts).

内容的提问来源于stack exchange，提问作者I don't know