Cloud SQL connectivity insights

Cloud SQL connectivity insights discover connectivity issues from a subnet to a Cloud SQL instance, where the subnet is in the same region and VPC network as the Cloud SQL instance.

A connectivity test is performed from an IP address of the subnet to the Cloud SQL instance using the TCP protocol and port 3307.

Connectivity to Cloud SQL instance blocked by egress firewall

This insight indicates that the connectivity with a Cloud SQL instance is blocked by an egress firewall.

This insight provides the following information:

  • SQL instance: Name of the Cloud SQL instance.
  • Network: Name of the VPC network where the Cloud SQL instance is configured.
  • Region: Region where the Cloud SQL instance is configured.
  • Connectivity drop cause: The reason why the connectivity is blocked. For this type of insight, it is a blocking firewall.
  • Blocking firewall: Name of the firewall that blocks the connectivity.

For more information, see Using firewall rules.

Recommendations

If the blocking firewall is configured by mistake, delete the blocking firewall. Alternatively, you can create an egress firewall rule that allows traffic for TCP traffic on port 3307 with a destination IP range matching the Cloud SQL instance's IP address. This rule should have a higher priority than the blocking firewall rule.

Connectivity to Cloud SQL instance blocked by routing issue

When you configure a Cloud SQL instance that uses a private IP address, private service connection is configured to allow resources in your VPC network to connect to the Cloud SQL instance. The private service connection automatically creates a VPC peering between your VPC network and a Google managed service network.

This insight shows that the connectivity from your network to a Cloud SQL instance is blocked by a routing issue. This is caused by an accidental deletion of the VPC peering between your VPC network and the Google managed service network.

This insight provides the following information:

  • SQL instance: Name of the Cloud SQL instance.
  • Network: Name of the VPC network where the Cloud SQL instance is configured.
  • Region: Region where the Cloud SQL instance is configured.
  • Connectivity drop cause: The reason why the connectivity is blocked. For this type of insight, it is missing network peering.

For more information, see Configuring private IP.

Recommendations

On the Insight details page, click the URI of the SQL instance field to go to the Cloud SQL page. On the Connection page, the following notification is shown: Private services access connection required.

Click Set up connection and follow the steps to recreate a private service connection.

Connectivity to Cloud SQL instance issue: instance not running

Indicates that the connectivity with a Cloud SQL instance is blocked because the Cloud SQL instance is not running.

This insight includes the following information:

  • SQL instance: Name of the Cloud SQL instance.
  • Network: Name of the VPC network where the Cloud SQL instance is configured.
  • Region: Region where the Cloud SQL instance is configured.

For more information, see Starting, stopping, and restarting instances.

Recommendations

Restart the Cloud SQL instance.