This page contains information and examples for connecting to a Cloud SQL instance from a service running in the App Engine standard environment.
Cloud SQL is a fully-managed database service that helps you set up, maintain, manage, and administer your relational databases in the cloud.
App Engine is a fully managed, serverless platform for developing and hosting web applications at scale. You can choose from several popular languages, libraries, and frameworks to develop your apps, then let App Engine take care of provisioning servers and scaling your app instances based on demand.
Set up a Cloud SQL instance
- Enable the Cloud SQL Admin API in the Google Cloud project that you are connecting from, if you
haven't already done so:
- Create a Cloud SQL
for PostgreSQL instance. We recommend that you choose a Cloud SQL
instance location in the same region as your Cloud Run service for better latency, to avoid some networking costs, and to reduce
cross region failure risks.
By default, Cloud SQL assigns a public IP address to a new instance. You also have the option to assign a private IP address. For more information about the connectivity options for both, see the Connecting Overview page.
Configure App Engine standard environment
The steps to configure App Engine standard environment depend on the type of IP address that you assigned to your Cloud SQL instance.Public IP (default)
To configure App Engine standard environment to enable connections to a Cloud SQL instance using public IP:
- Make sure that the instance has a public IP address. You can verify this on the Overview page for your instance in the Google Cloud console. If you need to add one, see the Configuring public IP page for instructions.
- Get the INSTANCE_CONNECTION_NAME for your instance. You can find
this value on the Overview page for your instance in the
Google Cloud console or by running the
following
gcloud sql instances describe
command: Replace INSTANCE_NAME with the name of your Cloud SQL instance.gcloud sql instances describe INSTANCE_NAME
Replace the INSTANCE_NAME variable with the name of your instance.
- Ensure that the service account your app is using to authenticate calls to
Cloud SQL has the appropriate
Cloud SQL role
and permissions.
- The service account for your service needs one of the following
IAM roles:
Cloud SQL Client
(preferred)Cloud SQL Editor
Cloud SQL Admin
cloudsql.instances.connect
cloudsql.instances.get
By default, your app will authorize your connections using an App Engine service account. The service account identity is in the format
PROJECT_ID@appspot.gserviceaccount.com
.If the authorizing service account belongs to a different project than the Cloud SQL instance, the Cloud SQL Admin API and IAM permissions will need to be added for both projects.
- The service account for your service needs one of the following
IAM roles:
Private IP
If the authorizing service account belongs to a different project than the one containing the Cloud SQL instance, do the following:
- In both projects, enable the Cloud SQL Admin API.
- For the service account in the project that contains the Cloud SQL instance, add the IAM permissions.
- Make sure that the Cloud SQL instance created previously has a private IP address. If you need to add one, see Configure private IP for instructions.
- Create a Serverless VPC Access connector in the same VPC network as your Cloud SQL instance. Note the following conditions:
- Unless you're using Shared VPC, your connector must be in the same project and region as the resource that uses it, but it can send traffic to resources in different regions.
- Serverless VPC Access supports communication to VPC networks connected using Cloud VPN and VPC Network Peering.
- Serverless VPC Access doesn't support legacy networks.
- Configure App Engine standard environment to use the connector.
- Connect using your instance's private IP address and port
5432
.
Connect to Cloud SQL
After you configure App Engine standard environment, you can connect to your Cloud SQL instance.
Public IP (default)
For public IP paths, App Engine standard environment provides encryption and connects using the Cloud SQL Auth Proxy in two ways:
- Through Unix sockets
- By using a Cloud SQL connector
Private IP
For private IP paths, your application connects directly to your instance through a VPC network. This method uses TCP to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.
Connect with TCP
Connect using the private IP address of your Cloud SQL instance as the host and port 5432
.
Python
To see this snippet in the context of a web application, view the README on GitHub.
Java
To see this snippet in the context of a web application, view the README on GitHub.
Note:
- CLOUD_SQL_CONNECTION_NAME should be represented as <MY-PROJECT>:<INSTANCE-REGION>:<INSTANCE-NAME>
- Using the argument ipTypes=PRIVATE will force the SocketFactory to connect with an instance's associated private IP
- See the JDBC socket factory version requirements for the pom.xml file here .
Node.js
To see this snippet in the context of a web application, view the README on GitHub.
Go
To see this snippet in the context of a web application, view the README on GitHub.
C#
To see this snippet in the context of a web application, view the README on GitHub.
Ruby
To see this snippet in the context of a web application, view the README on GitHub.
PHP
To see this snippet in the context of a web application, view the README on GitHub.
Best practices and other information
You can use the Cloud SQL Auth Proxy when testing your application locally. See the quickstart for using the Cloud SQL Auth Proxy for detailed instructions.
Connection Pools
Connections to underlying databases may be dropped, either by the database server itself, or by the underlying infrastructure. To mitigate this, we recommend that you use a client library that supports connection pools and automatic reconnection.
Connection Limits
Each App Engine instance running in a standard environment cannot have more than 100 concurrent connections to an instance. For PHP 5.5 apps, the limit is 60 concurrent connections. This limit applies per application instance. This means that each instance of the App Engine application can have that many connections to the database, and as it scales the total number of connections per deployment can grow. For more information, see Scaling elements.
You can limit the maximum number of connections used per instance by using a connection pool. For more detailed examples on how to limit the number of connections, see the Managing database connections page.
App Engine applications are subject to request time limits depending on usage and environment. For more information, see how instances are managed in App Engine standard environment standard and flexible environments.
API Quota Limits
App Engine provides a mechanism that connects using the Cloud SQL Auth Proxy, which uses the Cloud SQL Admin API. API quota limits apply to the Cloud SQL Auth Proxy. When the Cloud SQL Admin API starts, it uses a quota of two and an average of two per hour afterwards. The default quota is 180 per minute per user. App Engine applications are also subject to additional quotas and limits as discussed on the App Engine Quotas page.