This page describes the Network Analyzer insights for Cloud SQL connectivity. For information about all the insight types, see Insight groups and types.
Cloud SQL connectivity insights discover connectivity issues from a subnet to a Cloud SQL instance, where the subnet is in the same Virtual Private Cloud (VPC) network as the Cloud SQL instance.
Connectivity tests are performed from an IP address of the subnet to the Cloud SQL instance by using the TCP protocol and the default ports. The default ports list depends on the Cloud SQL instance's database version. For more information about finding the ports of your Cloud SQL instance that are up and listening, see Open local ports.
View insights in the Recommender API
To view these insights in the gcloud CLI or the Recommender API, use the following insight type:
google.networkanalyzer.managedservices.cloudSqlInsight
You need the following permissions:
recommender.networkAnalyzerCloudSqlInsights.listrecommender.networkAnalyzerCloudSqlInsights.get
For more information about using the Recommender API for Network Analyzer insights, see Use the Recommender CLI and API.
Connectivity to Cloud SQL instance blocked by egress firewall
This insight indicates that the connectivity with a Cloud SQL instance is blocked by an egress firewall.
This insight provides the following information:
- SQL instance: Name of the Cloud SQL instance.
- Network: Name of the VPC network where the Cloud SQL instance is configured.
- Region: Region where the Cloud SQL instance is configured.
- Database version: Database version of the Cloud SQL instance.
- Connectivity drop cause: The reason why the connectivity is blocked. For this type of insight, it is a blocking firewall.
- Blocking firewall: Name of the firewall that blocks the connectivity.
- Unreachable ports: Port numbers of the Cloud SQL instance that are not reachable.
Related topics
For more information, see Using firewall rules.
Recommendations
If the blocking firewall is configured by mistake, delete the blocking firewall. Alternatively, you can create an egress firewall rule that allows traffic for TCP traffic on port 3307 with a destination IP range matching the Cloud SQL instance's IP address. This rule should have a higher priority than the blocking firewall rule.
Connectivity to Cloud SQL instance blocked by routing issue
When you configure a Cloud SQL instance that uses a private IP address, private service connection is configured to allow resources in your VPC network to connect to the Cloud SQL instance. The private service connection automatically creates a VPC peering between your VPC network and a Google managed service network.
This insight shows that the connectivity from your network to a Cloud SQL instance is blocked by a routing issue. This is caused by an accidental deletion of the VPC peering between your VPC network and the Google managed service network.
This insight provides the following information:
- SQL instance: Name of the Cloud SQL instance.
- Network: Name of the VPC network where the Cloud SQL instance is configured.
- Region: Region where the Cloud SQL instance is configured.
- Database version: Database version of the Cloud SQL instance.
- Connectivity drop cause: The reason why the connectivity is blocked. For this type of insight, it is missing network peering.
- Unreachable ports: Port numbers of the Cloud SQL instance that are not reachable.
Related topics
For more information, see Configuring private IP.
Recommendations
On the Insight details page, click the URI of the SQL instance field to go to the Cloud SQL page. On the Connection page, the following notification is shown: Private services access connection required.
Click Set up connection and follow the steps to recreate a private service connection.
Connectivity to Cloud SQL instance issue: instance not running
Indicates that the connectivity with a Cloud SQL instance is blocked because the Cloud SQL instance is not running.
This insight includes the following information:
- SQL instance: Name of the Cloud SQL instance.
- Network: Name of the VPC network where the Cloud SQL instance is configured.
- Region: Region where the Cloud SQL instance is configured.
- Database version: Database version of the Cloud SQL instance.
Related topics
For more information, see Starting, stopping, and restarting instances.
Recommendations
Restart the Cloud SQL instance.