Secure MySql/MariaDB Replication

It would be preferable to have TLS instead of SSH. it is also documented for use of SSL/TLS. The firewall may have already been open for SSL and you can point the use of certificate to a CA that you own.

Rather than to manage the SSH keypair separately as individual system - you have no oversight for all. Key management operational effort requires a party to ensure all key are safely stored too.

Better to reduce the attack surface with less remote connection to database. SSH normally more for remote administration session rather than replication purpose.

https://mariadb.com/kb/en/library/replication-with-secure-connections/

as long as they only expose the mysql server to the outside from your ip which should be configured in their firewall, it does not matter much how you secure. unless the data is very sensitive, it is not actually very useful to even bother setting up ssl.

if you do setup ssl, make sure you do proper authentication with client certificates

that said, SSH is MUCH safer than SSL overall. in my book, SSL is plain broken and any hacker and many script kiddies will be able to snif SSL connections.

but i concur, setting up ssh access will definitely expose the server quite a lot. unless ssh is already available, i see little reason to do so.

How does ssh expose the slave server?  Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?

System forces the selection of a Best Answer, however both were high quality.  Wish I could select best for both.