Connecting to Cloud SQL from External Applications

Applications not running on the Google Cloud Platform can connect to Google Cloud SQL using the standard MySQL protocol.

Contents

  1. How you connect from an external application
  2. Configuring access
    1. Configuring access for the proxy
    2. Configuring access for IP connections
    3. Configuring access for applications with dynamically assigned IP addresses
  3. Testing your connection
  4. Connection support tasks
    1. Creating a service account
    2. Determining the IP address for your application

How you connect from an external application

Depending on your Cloud SQL instance type, you have two options for accessing Cloud SQL from an external application:

  • If you are connecting to a Second Generation instance, you can use the Cloud SQL Proxy.
  • If you are connecting to a First Generation instance, you must authorize the IP address or range of IP addresses from which your application will connect.

After you have configured access, you are ready to connect from MySQL client or any other Admin and Reporting Tools that support MySQL. If you are connecting programmatically, you can use any of the MySQL Connectors that provide standard database driver connectivity.

To learn more about connection limits, see the FAQs Are there any size or QPS limits? and How should I manage connections?

Configuring access

Configuring access for the proxy

To use the Cloud SQL Proxy to connect from an external application, you must install the proxy on the system hosting the application. In addition, you need service account credentials.

  1. Install the proxy on your local environment.
  2. Create a service account, if you do not already have one.

    The service account must be of type JSON.

  3. Ensure that your service account has at least the editor role for access in the project that contains the Cloud SQL instance.
  4. Run the proxy, using FUSE:
    sudo mkdir /cloudsql; sudo chmod 777 /cloudsql
    sudo ./cloud_sql_proxy -dir=/cloudsql -fuse -credential_file=path/to/keyfile &
    

    Learn more about the proxy here.

Configuring access for IP connections

You can grant any application access to a Google Cloud SQL instance by authorizing the IP addresses that the application uses to connect.

You can not specify a private network (for example, 10.x.x.x) as an authorized network.

IP addresses for First Generation instances

For First Generation instances, Google Cloud SQL supports connections over both IPv4 and IPv6 addresses. You can connect using either protocol, or both.

  • IPv6: Each First Generation instance has an IPv6 address automatically assigned to it; you do not need to assign an IPv6 address to your instance.
  • IPv4: If you are connecting to your First Generation instance over IPv4, you must assign an IPv4 address to your instance. There is a small charge for the IP address any time your instance is off (deactivated).
IP addresses for Second Generation instances
  • IPv6: Second Generation instances do not support IPv6.
  • IPv4: Second Generation instances have an IPv4 address automatically assigned. There is a small charge for the IP address any time your instance is off (deactivated).

Console

To grant access to an external application:

  1. Determine the IP address of your application. Learn more.
  2. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  3. Find the instance to which you want to grant access and click the instance name.
  4. If you are connecting to a First Generation instance over IPv4, assign an IPv4 address to the instance if you haven't already:
    1. Select Access Control > IP address.
    2. Select Request IPv4 address.

      Note that you are charged for an IPv4 address when the instance is off. For more information, see the pricing page.

  5. Authorize networks that can connect to the instance.
    1. Select Access Control > Authorization.
    2. In the Allowed Networks section, click the add icon Bulk add. and enter IP addresses to whitelist using CIDR notation.

    Figure 2 shows IPv4 and IPv6 addresses assigned as authorized networks.

    The UI showing how to grant access
           to IPv4 and IPv6 addresses.
    Figure 2: Authorizing networks that can connect.
  6. Save the change by clicking the edit icon Save or edit..
  7. When you are done authorizing networks, click Save button to update the instance.

To remove access for an external application:

Follow the steps above and click the delete icon Delete. next to each address in the Authorized Networks box that you want to remove.

gcloud

To grant access to an external application:

  1. Determine the IP address of your application. Learn more.
  2. Install the Cloud SQL command line if you haven't already (see Managing Instances Using the Cloud SDK).
  3. Use the sql instances patch command to modify an existing instance (YOUR_INSTANCE_NAME) and grant access to an IP range ip-address-range:
    gcloud sql instances patch YOUR_INSTANCE_NAME --authorized-networks IP_ADDRESS_RANGE
    
  4. Use the sql instances patch command to assign an IP address to the instance:
    gcloud sql instances patch YOUR_INSTANCE_NAME --assign-ip
    
  5. Use the sql instances describe command to retrieve the IP address assigned:
    gcloud sql instances describe YOUR_INSTANCE_NAME
    

    In the output, find the "ipAddress" field. This value is what you will use in your connection strings.

To remove access for all external applications:

  • Use the sql instances patch command to remove access to an instance (YOUR_INSTANCE_NAME) for all previously authorized IP addresses:
    gcloud sql instances patch YOUR_INSTANCE_NAME --clear-authorized-networks

cURL

To grant access to external applications:

  1. Determine the IP address of your application. Learn more.
  2. Obtain an OAuth2 access token that you can use in the following commands.

    For example, you can obtain a token by using the gcloud beta auth application-default print-access-token Cloud SDK command.

  3. List the existing authorized IP ranges.

    For more information the resources of an instance you can access with the API, see instance resource definition.

    curl --header 'Authorization: Bearer accessToken' \
         --header 'Content-Type: application/json' \
         https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \
         -X GET
    
  4. Assign a new IP range to the existing list of IP ranges.
    curl --header 'Authorization: Bearer accessToken' \
         --header 'Content-Type: application/json' \
         https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instance/your-instance-name \
         --data : '{"settings" : {"ipConfiguration" : {"enabled" : true, "authorizedNetworks": ["existing-ip-range", "new-ip-range"] }}}' \
         -X PATCH
    

To remove access for all external applications:

  1. To revoke access for all external applications use the following command.
    curl --header 'Authorization: Bearer accessToken' \
         --header 'Content-Type: application/json' \
         https://www.googleapis.com/sql/v1beta4/projects/your-project-id/instances/your-instance-name \
         --data '{"settings" : {"ipConfiguration" : {"enabled" : false }}}' \
         -X PATCH
    

Configuring access for applications with dynamically assigned IP addresses

Some applications need to connect to your Cloud SQL instance using a dynamically assigned, or ephemeral, IP address. This is the case for App Engine applications running in the flexible environment, and Platform as a Service (Paas) applications, among others.

The best solution for these applications is to use a Cloud SQL Second Generation instance, and connect by using the Cloud SQL Proxy. This solution provides the best access control for your instance.

If you cannot use a Second Generation instance, then you can either install your own proxy, or open up your firewall and apply SSL. But neither of these methods provide the security and control of the Cloud SQL Proxy provided by the Second Generation instance.

Testing your connection

You can use the MySQL client to test your ability to connect from your local environment.

  1. Install the MySQL client, if you haven't already.
  2. Connect to your instance.

    If you are accessing Cloud SQL by using the proxy, use the following connection string:

    mysql -u <USERNAME> -p -S /cloudsql/<YOUR-PROJECT-ID>:<REGION-NAME>:<SQL-INSTANCE-NAME>
    

    If you are accessing Cloud SQL by using an IP address, use the following connection string:

    mysql --host=<instance-IP> --user=<user-name> --password
    
  3. Run some SQL commands to test the proxy.
            CREATE DATABASE guestbook;
            USE guestbook;
    
            CREATE TABLE entries (guestName VARCHAR(255), content VARCHAR(255),
                entryID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(entryID));
            INSERT INTO entries (guestName, content) values ("first guest", "hello world!");
    
            SELECT * FROM entries;
    

Connection support tasks

Creating a service account

  1. Go to the Google Cloud Platform Console.
  2. Select a project to which the service account will be associated.
  3. Click New credentials and select Service account key.
  4. Choose an existing service account or choose New service account.
  5. Ensure the Key type is JSON.
  6. Click Create.

    A Service account created window is displayed and the private key is downloaded automatically.

  7. Click Close.

To learn more about service accounts, see Service Account Credentials.

Determining the IP address for your application

To determine the IP address of a computer running your application so you can authorize access to your Cloud SQL instance from that address, use one of the following options:

  • If the computer is not behind a proxy, log in to the computer and determine its IP address. You can use a browser to determine your IP address (for example, search for What's My IP).
  • If the computer is behind a proxy, log in to the computer and use a tool or service like Proxy Test to determine its true IP address.

Send feedback about...

Cloud SQL