How do you guys manage IP address access to production / dev databases?
The IP address of each individual in our organisation keeps on changing and it is really frustrating to go to DO / AWS security groups and keep on giving them access to database (removing the old IP and adding the new one). How do you guys manage this? I would avoid at all costs exposing the database to the public internet, even with IP whitelisting. Make the apps/users connect to a VPN (wireguard or openvpn, setup on a seperate EC2/droplet). Then on the database server only allow connections from the internal IP of the VPN server. Ideally the database is in a private subnet in the VPC (can't accessed directly from the outside at all) and the VPN server is a public subnet with an Elastic (static) IP. That is how to set it up on AWS anyway, I am not sure the DO networking equivalents off the top of my head. Is there a simpler solution as compared to using a VPN. As it is work from home right now and internet speed is not that great for few folks in our organisation. I was thinking if there was a tool that could proxy connections only to database. I am not sure there is anything simpler. Anything else you could do is just moving your problem upstream. Throw a connection pooler in front of the database and have the users connect to that? Well sure, you could that. But doesn't really help you. You now can tell the database to only accept connections from this pooler, but now you are just moved your whitelist management problem upstream to the connection pooler, if you don't whitelist manage the pooler, then you are effectively just exposing the database to the open internet. SSH tunnels work. But you still need to control access to the bastion server / outside host system. Thinking of building a chrome extension with authentication for that.