Introduction

Giving a MySQL user remote access is not only about creating the user. You also need the right host pattern in the account definition, a MySQL server that listens on the intended interface, and firewall or cloud-network rules that allow the connection.

Create a User With a Remote Host Pattern

In MySQL, users are identified by both username and host. A user allowed only from localhost is different from a user allowed from another machine.

CREATE USER 'appuser'@'192.168.1.%' IDENTIFIED BY 'strong_password_here';
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'appuser'@'192.168.1.%';

That creates a user who can connect only from hosts in that subnet pattern.

If you truly want access from anywhere, you can use % as the host wildcard, but that should be a deliberate security choice.

CREATE USER 'appuser'@'%' IDENTIFIED BY 'strong_password_here';
GRANT ALL PRIVILEGES ON mydb.* TO 'appuser'@'%';

Do Not Default to Remote Root

The goal should usually be a dedicated application or admin account, not remote access for root. Least privilege matters here.

A scoped user with only the permissions it needs is much safer than exposing a globally powerful account over the network.

Make Sure MySQL Listens for Remote Connections

Even with the correct user, the server may still accept only local connections. Check the MySQL server config for bind-address under the [mysqld] section.

[mysqld]
bind-address = 0.0.0.0

Use this carefully. In many environments, binding to a private interface instead of all interfaces is safer.

After config changes, restart MySQL.

Network Rules Still Matter

MySQL user permissions are only one layer. The machine or cloud network must also allow inbound traffic on the MySQL port, usually 3306.

That means checking:

• local firewall rules
• cloud security groups or network ACLs
• VPN or private-network requirements
• whether the client can route to the server at all

If the account is correct but the port is blocked, login still fails.

Verify the Account and Grants

After creating the user, confirm what MySQL thinks the grants are.

SHOW GRANTS FOR 'appuser'@'192.168.1.%';

This is a fast way to catch host-pattern mistakes or missing privileges before debugging the client side.

Prefer Narrow Host Scopes When Possible

A host value such as 192.168.1.% or a known DNS host is generally better than % when you know where the client connections should originate.

Remote access is safest when you restrict both:

• what the user can do
• where the user can connect from

That combination gives you much more control than broad access from any host.

Test From the Real Client Host

After making the changes, verify the connection from the actual remote machine that is supposed to use the account. Testing only from the database server itself does not prove that network routing, host matching, and remote firewall rules are correct.

Common Pitfalls

The biggest mistake is creating the user correctly but forgetting that MySQL distinguishes accounts by both username and host.

Another issue is granting remote permissions while the server still listens only on 127.0.0.1.

A third problem is opening up remote access with % and excessive privileges when a narrow host range and limited grants would be enough.

Summary

• Remote MySQL access requires the correct user-host account, not just a username.
• Create the user with a host pattern that matches the intended client machines.
• Grant only the privileges the user actually needs.
• Ensure MySQL is listening on the intended network interface.
• Check firewall and cloud-network rules in addition to MySQL grants.