Maybe we're talking about different things. If there's a VPN link between the two severs there shouldn't be any "network in between"
Maybe we're talking about different things. If there's a VPN link between the two severs there shouldn't be any "network in between"
Fair point, if it's a true point-to-point VPN between just the two boxes, there's not much "in between" to worry about. TLS on top is mostly defense in depth at that point. What I had in mind was the more common setup where your app and DB sit on a shared network (VPC, corporate LAN). The traffic between them is unencrypted, and you're trusting every piece of infrastructure in that path (switches, hypervisors, sidecar containers) to not be compromised.