Overview
Default MySQL installs bind to localhost. Remote reporting tools and apps need a user granted for your client IP or subnet and network access to port 3306.
Never expose MySQL directly to the public internet without VPN and TLS.
Implementation
Edit bind-address = 0.0.0.0 in mysqld.cnf cautiously. CREATE USER 'app'@'10.0.%' IDENTIFIED BY 'secret'; GRANT SELECT ON db.* TO 'app'@'10.0.%'; Open firewall for source IPs only.
Use SSH tunnel: ssh -L 3307:127.0.0.1:3306 user@server.
When implementing guidance from Accessing MySQL databases from remote computer, start in a controlled environment that mirrors production versions of operating systems, runtimes, and network policies. Capture a baseline before changes: export configs, snapshot VMs, or tag releases in source control so rollback stays straightforward if behavior regresses.
Document prerequisites, expected outcomes, and verification steps in a short runbook. Automated checks—smoke tests, health endpoints, or query validations—catch regressions early when platforms receive patches. Security belongs in every workflow: apply least privilege, rotate secrets, and review audit logs after deployment.
If results differ across machines, compare environment variables, permission models, time zones, and regional settings. Intermittent issues often trace to caching layers, stale DNS, or duplicated services bound to the same port.
Example
CREATE USER 'report'@'192.168.1.%' IDENTIFIED BY 'strongpass';
GRANT SELECT ON sales.* TO 'report'@'192.168.1.%';
FLUSH PRIVILEGES;
Tips
- Prefer read-only users for BI.
- Require REQUIRE SSL on grants.
- Audit failed logins.
- Cloud RDS uses security groups.
- Re-verify after reboots, certificate renewals, or failover exercises.
- Align monitoring and alerts with the failure modes described in this guide.
- Keep vendor documentation links handy for breaking changes between versions.
- Pair automation with a manual spot check during initial production rollout.