Connect AnomalyArmor to any MySQL-compatible database. This guide covers self-hosted MySQL as well as managed services like Amazon RDS, Aurora MySQL, PlanetScale, and DigitalOcean.
Platform Minimum Version Notes MySQL 5.7+ Self-hosted or any cloud Amazon RDS 5.7+ All instance classes Amazon Aurora MySQL 5.7+ Cluster and serverless PlanetScale Any Serverless MySQL DigitalOcean 8.0+ Managed databases Google Cloud SQL 5.7+ Public or private IP Azure Database 5.7+ Single server or flexible MariaDB 10.3+ MySQL-compatible fork
Connection Settings Field Description Example Connection Name Friendly identifier Production MySQLHost Hostname or IP address db.example.comPort Database port 3306Database Database name myapp_productionUsername Database user anomalyarmorPassword User password ••••••••SSL Mode SSL configuration require
SSL Mode Options Mode Description When to Use disableNo SSL Local development only requireSSL required, no verification Recommended for most cloud providersverify-caVerify server certificate High security requirements verify-fullVerify certificate and hostname Maximum security
Never use disable for production databases. Most cloud providers (RDS, Aurora, PlanetScale) require SSL.
Creating a Read-Only User Create a dedicated user with minimal permissions:
-- Create the user CREATE USER ' anomalyarmor '@ '%' IDENTIFIED BY 'your-secure-password' ; -- Grant read access to your database GRANT SELECT ON your_database. * TO 'anomalyarmor' @ '%' ; -- Access to information_schema is implicit with SELECT -- Flush privileges to apply changes FLUSH PRIVILEGES;
For Multiple Databases If you want to monitor multiple databases:
-- Grant access to specific databases GRANT SELECT ON database1. * TO 'anomalyarmor' @ '%' ; GRANT SELECT ON database2. * TO 'anomalyarmor' @ '%' ; GRANT SELECT ON analytics. * TO 'anomalyarmor' @ '%' ; FLUSH PRIVILEGES;
Verifying Permissions Test that the user can access metadata:
-- Should return tables SELECT TABLE_NAME FROM INFORMATION_SCHEMA . TABLES WHERE TABLE_SCHEMA = 'your_database' LIMIT 5 ; -- Should return columns SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA . COLUMNS WHERE TABLE_SCHEMA = 'your_database' LIMIT 5 ;
Provider-Specific Instructions Amazon RDS
Amazon Aurora MySQL
PlanetScale
Self-Hosted
Google Cloud SQL
DigitalOcean
Amazon RDS MySQL Connection Details :
Host : Your RDS endpoint (e.g., mydb.abc123.us-east-1.rds.amazonaws.com)Port : 3306 (default)SSL Mode : require Security Group Configuration :
Go to AWS Console → RDS → Your Instance → Security Groups
Edit inbound rules
Add rule:
Type: MySQL/Aurora
Port: 3306
Source: AnomalyArmor IPs (see Settings → Security)
Parameter Group (if using verify-ca or verify-full):
Ensure require_secure_transport = ON
Download RDS CA certificate bundle
RDS instances in private subnets require NAT Gateway or VPC peering for AnomalyArmor access. Contact us for Enterprise VPC peering options.
Amazon Aurora MySQL Connection Details :
Host : Cluster endpoint (reader or writer)Port : 3306 (default)SSL Mode : require Choosing the Right Endpoint :Endpoint Use Case Cluster (writer) If you need real-time schema changes Reader Recommended - no impact on production writes
Aurora Serverless v2 :
Use the cluster endpoint
Ensure minimum ACU allows connections during discovery
Consider scheduling discovery during active hours
PlanetScale Connection Details :
Host : Your branch endpoint (e.g., aws.connect.psdb.cloud)Port : 3306SSL Mode : require (mandatory) Getting Credentials :
Go to PlanetScale Dashboard → Your Database → Settings → Passwords
Create a new password with Read-only access
Copy the connection details
Important Notes :
PlanetScale requires SSL - disable mode will fail
Use the main branch for production monitoring
Create separate credentials for AnomalyArmor
PlanetScale uses Vitess which may show slightly different table metadata than standard MySQL. All core functionality works correctly.
Self-Hosted MySQL Connection Details :
Host : Your server’s hostname or IPPort : 3306 (or custom port)SSL Mode : Depends on your setup Firewall Configuration :Allow inbound connections from AnomalyArmor IPs: # iptables example iptables -A INPUT -p tcp --dport 3306 -s 34.xxx.xxx.xxx -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -s 34.xxx.xxx.xxx -j ACCEPT
MySQL Configuration (my.cnf):Allow remote connections: [mysqld] bind-address = 0.0.0.0
SSL Setup (if not already configured):# Generate certificates mysql_ssl_rsa_setup --uid=mysql # Enable in my.cnf [mysqld] ssl-ca = /var/lib/mysql/ca.pem ssl-cert = /var/lib/mysql/server-cert.pem ssl-key = /var/lib/mysql/server-key.pem require_secure_transport = ON
User Host Configuration :Ensure user is created for remote access: -- Allow from any host CREATE USER ' anomalyarmor '@ '%' IDENTIFIED BY 'password' ; -- Or allow from specific IPs only CREATE USER ' anomalyarmor '@ '34.xxx.xxx.xxx' IDENTIFIED BY 'password' ;
Google Cloud SQL for MySQL Connection Methods :Method Description Public IP Add AnomalyArmor IPs to authorized networks Cloud SQL Proxy For private IP instances (self-managed)
Public IP Setup :
Go to Cloud Console → SQL → Your Instance → Connections
Under Authorized Networks , click Add Network
Add each AnomalyArmor IP
Connection Details :
Host : Public IP from instance overviewPort : 3306SSL Mode : require Cloud SQL requires SSL by default. If you need verify-ca, download the server certificate from the instance details.
DigitalOcean Managed MySQL Connection Details :
Host : Your database cluster hostnamePort : 25060 (DigitalOcean uses non-standard port)SSL Mode : require (mandatory) Getting Credentials :
Go to DigitalOcean → Databases → Your Cluster
Click Connection Details
Select Direct Connection or Connection Pool
Trusted Sources :
Go to Settings → Trusted Sources
Add AnomalyArmor IP addresses
DigitalOcean requires SSL and uses port 25060 by default.
What We Query AnomalyArmor runs these types of queries:
-- Tables and views SELECT TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE FROM INFORMATION_SCHEMA . TABLES WHERE TABLE_SCHEMA NOT IN ( 'mysql' , 'information_schema' , 'performance_schema' , 'sys' ); -- Columns SELECT COLUMN_NAME, DATA_TYPE, IS_NULLABLE, COLUMN_DEFAULT FROM INFORMATION_SCHEMA . COLUMNS WHERE TABLE_SCHEMA = 'your_database' ; -- Freshness (for timestamp columns) SELECT MAX (your_timestamp_column) FROM your_table;
Impact : Minimal. These are lightweight metadata queries.Excluded Schemas AnomalyArmor automatically excludes MySQL system schemas:
mysqlinformation_schemaperformance_schemasys
Only user-created databases and tables are monitored.
Troubleshooting
Can't connect to MySQL server
Causes :
Firewall blocking the connection
Wrong hostname or port
Database not running
Solutions :
Verify AnomalyArmor IPs are allowlisted
Check security group rules (for RDS/Aurora)
Test connectivity: nc -zv hostname 3306
Verify MySQL is running: systemctl status mysql
Causes :
Wrong password
User doesn’t exist for connecting host
User lacks privileges
Solutions :
Verify password (copy-paste to avoid typos)
Confirm user exists: SELECT User, Host FROM mysql.user;
Check user is created for % or specific IP
Verify grants: SHOW GRANTS FOR 'anomalyarmor'@'%';
Causes :
Database requires SSL but connection uses disable
SSL certificate issues
Solutions :
Set SSL Mode to require
For RDS/Aurora/PlanetScale: SSL is required
For self-hosted: Enable SSL or allow non-SSL (not recommended)
Causes :
Database name is incorrect
Database names are case-sensitive on Linux
Solutions :
Verify database name: SHOW DATABASES;
Use exact case for database name
Check you have access: SHOW DATABASES; (shows only accessible DBs)
No tables found in discovery
Causes :
User can’t see tables in information_schema
Schema filter excluding all schemas
Solutions :
Test as the user: SELECT * FROM INFORMATION_SCHEMA.TABLES LIMIT 5;
Check schema filter settings in AnomalyArmor
Verify tables exist in the database
Next Steps
Run Discovery Scan your MySQL database
Set Up Alerts Get notified of schema changes
