Google Cloud SQL has a firewall feature that lets me input the IPs I allow to connect to cloud SQL. I was wondering, how would I allow access to an autoscaling webserver since I don't know their IPs?
Will enabling cloud sql api permissions on the server allow it to work without adding the IP on the cloud SQL UI?
You would use the Cloud SQL Proxy to connect which does not require IP whitelisting.
Related
I was wondering if there's any possible solution to connect a GCP AIP tunnel to a DB (Cloud SQL Proxy) when the DB has no public IP.
I don't want to create a new VM for this purpose so I'm only interested in solutions that don't require me to use a VM.
Thanks in advance.
There are two ways to connect your on-prem network to the VPC, but both are fairly involved (and potentially expensive):
You can use Cloud Interconnect
You can use Cloud VPN to set up a HA VPN
For both scenarios, you'll also need to configure Cloud Router to export the routes to your Cloud SQL instance into your on-prem network.
Additionally (if you have control of your constraints) you could revisit the idea of using Public IP. Using the Cloud SQL Auth proxy allows you to authorize your connections using an IAM identity as opposed to traditional firewalling or SSL certs. You can even use org policies to restrict Authorized Networks, making the Auth proxy required to connect. enter link description here
I have 2 google cloud services:
Google Cloud Run Service (Node Js / Strapi)
Google Cloud SQL Service (Mysql)
I have added the Cloud SQL connection to the Google Cloud Run Service from the UI, and have a public IP for the Google Cloud SQL Service. On top of that I have added the Run Service IP to the Authorised networks of SQL Service.
If I try and connect from another server (external from Google cloud) I can easily connect to the Google Cloud SQL Service and execute queries.
But if I try and connect from inside the GCloud Run Service with exactly the same settings (Ip, database_name, etc) my connection hangs and I get a timeout error in the logs...
How to properly allow Gcloud SQL to accept connections from GCloud RUN?
I looked for other answers in here, but they all look very old (around 2015 )
You can use 3 modes to access to your database
Use the built-in feature. In this case, you don't need to specify the IP address, it's a linux socket that is open to communicate with the database as described in the documentation
Use Cloud SQL private IP. This time, no need to configure a connection in the Cloud Run service, you won't use it because you will use the IP, not the linux socket. This solution required 2 things
Firstly attach your database to your VPC and give it a private IP
Then, you need to route the private IP traffic of Cloud Run through your VPC. For this you have to create, and then to attach to the Cloud RUn service, a serverless VPC Connector
Use CLoud SQL public IP. This time again, no need to configure a connection in the Cloud Run service, you won't use it because you will use the IP, not the linux socket. To achieve this, you need more steps (and it's less secure)
You need to route all the egress traffic of Cloud Run through your VPC. For this you have to create, and then to attach to the Cloud RUn service, a serverless VPC Connector
Deploy your Cloud Run service with the Serverless VPC Connector and the egress connectivity param to "all"
Then create a Cloud NAT to route all the VPC Connector ip range traffic to a single IP (or set of IPs) (The link is the Cloud Functions documentation, but it works exactly in the same way)
Finally authorize the Cloud NAT IP(s) on Cloud SQL authorized networks.
In your case, you have whitelisted the Cloud Run IP, but it's a shared IP (other service can use the same!! Be careful) and it's not always the same, there is a pool of IP addresses used by Google cloud.
I have an AWS account with an EC2 in it that I am trying to connect to a Cloud SQL Server (MySQL 5.6) inside of Google Cloud Platform.
I have successfully set up a VPN between AWS and GCP and can echo a message over nc between an ec2 on AWS and a vm on GCP.
As GCP managed DB's are not placed inside of a VPC of my choosing I followed this guide to give the DB a private IP and to then peer that with my google VPC. I tested this works by accessing the DB via pymsql from an VM in GCP using the private IP of the DB.
However my issues come from connecting the EC2 inside of AWS to the Cloud SQL DB in the same way, I have followed this guide to allow the use of the DB's private IP from an external source but I seem to be getting stuck with how to set the routing up to the peered network the DB is sitting in using AWS Routing.
The problem has been sorted!
In the Advertised routes Settings of my Cloud Router, I had misunderstood the function of Advertise all subnets visible to the Cloud Router (Default)
I needed to instead choose Create custom routes" And then the sub-option Advertise all subnets visible to the Cloud Router.
This then allowed me to add the Cloud SQL subnet to my router to that IP block propagate over to AWS.
I'm having two Projects in GCP with Cloud SQL & GKE
Project A
-> Cloud SQL
Project B
-> GKE Cluster
Now I want to access Cloud SQL from GKE Cluster for which I have two options.
1. IPv4 address to connect
2. Clous SQL Proxy as sidecar
But the problem is both of them connects via Public IP. And I'm worried about latency so I was thinking can we access via VPC ? or some kind of internal network ? so the read/write will be more faster.
Cloud SQL now supports private connections: https://cloud.google.com/sql/docs/mysql/private-ip
Unfortunately not, the Cloud SQL is not accessed via internal, only through external IP or the Cloud SQL proxy. For GKE, using Cloud SQL Proxy as a sidecar container.
Is it possible to connect via an Amazon Java Web Project (AWS EC2) to an Google Cloud SQL?
You can get a public IP address for your Google Cloud SQL instance, and that should allow you to connect from EC2. Although the latency might be unacceptable depending on the distance between the client and the database.