Quick answer: Allow remote MySQL from one IP by setting bind-address to accept network connections, granting the user access from that specific IP (never the wildcard), and opening port 3306 in the firewall scoped to the same address. Test with mysql -h server-ip -u user -p.
MySQL on a Linux server listens only to the local machine by default. To let an external application or a desktop tool connect, you must bind MySQL to the network, grant the user remote access, and open the firewall - and do it without exposing the database to the whole internet.
Edit the MySQL config (/etc/my.cnf or /etc/mysql/mysql.conf.d/mysqld.cnf) and set the bind address so the server accepts external connections:
bind-address = 0.0.0.0
Restart MySQL afterwards: systemctl restart mysqld (or mysql).
Create or update the user so it may connect from your application's IP only - never use the % wildcard for production:
CREATE USER 'appuser'@'203.0.113.10' IDENTIFIED BY 'strong-password'; GRANT ALL PRIVILEGES ON yourdb.* TO 'appuser'@'203.0.113.10'; FLUSH PRIVILEGES;
Replace 203.0.113.10 with the exact IP that will connect.
Scope port 3306 to the same address rather than opening it to everyone:
# firewalld firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=203.0.113.10 port port=3306 protocol=tcp accept' firewall-cmd --reload
On a control panel, add the equivalent rule in its firewall section, and in cPanel also add the IP under Remote MySQL.
Connect from the allowed machine with mysql -h your-server-ip -u appuser -p. If it fails, re-check the bind address, the user host, and the firewall scope in that order. Leave the access limited to known IPs; an open 3306 port is a frequent breach vector.
Should I use the wildcard for the user host?
No - scope the user and firewall to the exact IP; an open 3306 is a common breach vector.
In cPanel, where do I add the IP?
Under Remote MySQL, add the connecting IP address.
On a SoftSys managed Linux VPS our team sets up scoped remote MySQL access for you, so your application connects securely without the database being reachable by the rest of the internet.