If your source database is inside a VPN (in AWS, for example, or your
on-premises VPN), you also need to use a VPN on the destination side to connect
to the source.
There are many VPN products you can use. The steps to configure VPNs vary from
one product to another, but all of them are fundamentally similar. This section
contains examples using AWS and Google Cloud VPNs.
The source database server's firewall must be configured to allow the entire internal
IP range allocated for the private service connection of the
VPC network that the Cloud SQL destination instance is going to use as the
privateNetwork field of its ipConfiguration settings.
In Google Cloud console > Hybrid Connectivity > VPN:
Click Create VPN connection.
Select your VPC network and region.
For the Cloud VPN, use the static IP address you reserved earlier
in this procedure.
Use a Pre-shared key and key type from the AWS
configuration you downloaded earlier in this procedure.
Select the Route based routing option and add two tunnels; for each
tunnel's Remote network IP range field, use an IP address for the
Static Route Configuration option from the
IP Sec Tunnel sections of the AWS configuration file you
downloaded earlier in this procedure.
Click Create.Remote network IP range
In the AWS RDS console:
Select a security group.
Add inbound firewall rules to allow all protocols and ports from the
The VPN tunnels should begin communicating shortly. On the AWS side, in the
VPC Dashboard, the tunnel statuses are UP. On the GCP
side, view the traffic between the VPNs in the
Cloud Logging console in the
Cloud VPN gateway project.
Example 2: AWS with Google Cloud HA VPN with dynamic routes
To get VPC Peering with an HA VPN (dynamic routes) to AWS, you need to export
BGP routes to the Cloud SQL peered VPC, and create a custom advertised route
in Cloud Router for the Cloud SQL peered VPC imported route. At that point,
Cloud Router is advertising AWS routes to the Cloud SQL VPC and the other
way around. The firewall rules on both sides also need to match the Cloud SQL
peering route CIDR.
On the AWS side, you can follow the first three steps in Example 1,
except select Dynamic instead of Static under Routing options.
Edit this VPC peering and check Import Custom Routes and
Export Custom Routes in the VPC Peering connection details,
and click SAVE.
The peering now receives dynamic routes from your VPC like the routes
coming from BGP peers. This allows traffic from the VPN to the peered network.
However, Cloud Router is not yet advertising this route to other networks.
To do so, you need to add custom advertised routes in the Cloud Router so
that your VPC advertises the imported routes to other networks. For more
information, see Importing and exporting custom routes.
Add your DESTINATION_IP_RANGE custom IP range as a custom
route in the Cloud Router configuration advertised routes. BGP peered
networks are now receiving advertisements of the imported Cloud SQL
network routes, DESTINATION_IP_RANGE. Traffic on those
VPN-connected networks bound for the Cloud SQL peered VPC are now
routed through the VPN tunnel.
Allow routes to propagate in AWS route tables. Make sure AWS route tables
for the subnets that contain your source database contain an entry for the
DESTINATION_IP_RANGE range that routes to the VPN Virtual Private
Add a security group firewall inbound rule to allow traffic for
DESTINATION_IP_RANGETCP port 3306.
Connectivity can now be established.