Access to a MySQL server

🛡️ Intro

In this example, we'll secure access to a Database server using Border0.
For more info about Border0 and Databases, also see this video demo

We'll walk through the following steps together.

  1. Launch a MySQL server (Docker)
  2. Create a database socket and tunnel.
  3. Authenticate and Connect
  4. Kill the session and watch the recording
  5. Using the Border0 Desktop app to access your database

1 Run a local MySQL server with docker

You can make any MySQL database server available with Border0; for testing purposes, we'll use a MySQL Docker container as the server.


It works through NAT and Firewalls

Don't worry if your laptop is behind NAT. Border0 works perfectly fine with resources that are behind NAT.

docker run --name some-mysql --rm -e MYSQL_ROOT_PASSWORD=my-secret-pw -d -p 3306:3306  mysql

This will start a local MySQL server listening on port 3306, with my-secret-pw as root password.
Before we continue, let's just make sure if it came up ok and test connecting to the database locally as user root and password my-secret-pw
mysql -u root -pmy-secret-pw -h localhost --protocol TCP

Once connected, you can do a query like the one below. If this works, you're all good to continue. Your local MySQL instance is working.

$ mysql -u root -pmy-secret-pw -h localhost  --protocol TCP
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.30 MySQL Community Server - GPL

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW VARIABLES LIKE 'version';
| Variable_name | Value  |
| version       | 8.0.30 |
1 row in set (0.00 sec)


2 - Create a database socket and connect.

Let's create a database socket and set the upstream type to MySQL. We'll need the credentials, so our proxy can connect to the database.

border0 socket create \
    --type database \
    --name "mysqltest" \
    --upstream_type mysql \ 

Now connect your newly created socket to the Border0 Platform.

border0 socket connect  \
     mysqltest \
    --port 3306 \
    --upstream_username root \
    --upstream_password my-secret-pw 

Now your database is ready to accept connections through border0. Clients can access your database from anywhere (no VPN needed), just using their Single sign-on credentials.


border0 versions

If you use a border0 version older than v1.1-146 (border0 version check), you must specify the upstream_username and upstream_password flags with the border0 socket create command instead of
the border0 socket connect command.



Remember that we haven't yet attached a policy to this socket, so the default organization-wide policies are applied automatically.

By default, our proxy will try to establish a secure database connection using TLS. If the database server does not support TLS, it will fall back to a non-TLS connection.

For an even more secure connection, it's possible to specify the root CA to verify the server certificate (flag: upstream_ca_filename). And for certificate authentication, it is possible to use the flags upstream_certificate_filename and upstream_key_filename. To disable TLS, you can specify the --upstream_tls=false flag.

3 - Authenticate and Connect

The easiest way to connect is to use the border0 CLI. From there, it's easy to discover all your databases and launch your preferred database client.

First, make sure you're logged in to your organization.

border0 client login


Organization name

If this is your first time issuing a client login, it will ask you for an Organization name. The Organization name is the part between the socket name and ie.

After you have the organization name, then login with
border0 client login --org <orgname>

The next time you log in, we'll remember your organization name, and you can just log in with border0 client login

Then request the list of all databases you have access to and pick your preferred client.

border0 client db

Alternatively, you can connect directly, like: border0 client db:mysql --host mysqltest-<org>
Or use any of the other supported built-in tools.

If you want to, you can connect directly using the MySQL client like this. The hostname and port number were printed when you created the socket. The key and cert file are created after executing the border0 client login command.

$ mysql -h -P 24558 --protocol TCP \
         -u root \
        --ssl-cert=~/.border0/<org_id>.crt  \

4 - Kill the session and watch the recording

Go to the portal, and click on your database socket. Go to the sessions tab and kill your session.
Refresh the session's webpage, and now click watch recording.


5. Using the Border0 Desktop app to access your database

Using the Border0 Desktop App, you'll be able to quickly discover all services (sockets) you have access to as an end-user.
In the demo below, you can see how the app lists all Database resources. After we click on "connect", it asks the user which database client the user prefers and launches the client for the user.