Private Service Connect overview

This page describes Private Service Connect.

Cloud SQL has the following ways to connect to your database:

  • Public access through public IPv4 addresses.
  • Private access through private services access. You can use this Virtual Private Cloud network peering solution to attach a network to a Cloud SQL instance and have full access to the instance from the attached network. However, private services access doesn't support connecting from multiple VPC networks simultaneously to a Cloud SQL instance.
  • Private access through Private Service Connect. You can connect to a Cloud SQL instance from multiple VPC networks that belong to different groups, teams, projects, or organizations. You can also use Private Service Connect to connect to either a primary instance or any of its read replicas.

Service attachment

When a Cloud SQL Admin creates an instance, they can configure the instance to use Private Service Connect. By doing so, Cloud SQL creates a service attachment for the instance automatically. A service attachment is an attachment point that VPC networks use to access the instance.

A Network Admin creates a Private Service Connect endpoint that the VPC network uses to connect to the service attachment. This enables the network to access the instance.

Each Cloud SQL instance has one service attachment to which the Private Service Connect endpoint can connect through the VPC network. If there are multiple networks, then each network has its own endpoint.

Private Service Connect endpoint

A Private Service Connect endpoint is a forwarding rule that's associated with a Private IP address. As part of creating the endpoint, the admin specifies the service attachment that's associated with the Cloud SQL instance. The network can then access the instance through the endpoint.

In addition to specifying the service attachment, the Network Admin provides an IP address in the VPC network and a service attachment URI. The Network Admin can obtain this URI by using the Cloud SQL Admin API. The network can access the Cloud SQL instance from the IP address that's associated with the endpoint.

DNS name

A DNS name is a human-readable URI for Cloud SQL instances that have Private Service Connect enabled. Using a DNS name offers the following benefits over using a private IP address:

  • Simplicity: easier to remember and use than an IP address. For example, instead of having to remember the IP address of an instance, you use the DNS name. This makes it easier for developers and administrators to work with instances.

  • Portability: portable across different VPC networks. For example, if you move an instance to a different network, the DNS name still works. This makes it easier to move instances around your network without having to change any code or configuration settings.

  • Security: improves security by hiding internal IP addresses. This prevents unauthorized users from accessing your instances.

  • Scalability: scalable to support large numbers of connecting service consumers. This is because the name is stored in a distributed database, which can handle a large number of requests.

Because Private Service Connect supports connecting to a Cloud SQL instance from different networks and Private Service Connect endpoints for a single instance might have different IP addresses, we recommend that you connect through a DNS name instead of using IP addresses. Additionally, Cloud SQL proxy clients work only with DNS names for an instance with Private Service Connect enabled.

Cloud SQL doesn't create DNS records automatically. Instead, a suggested DNS name is provided from the instance lookup API response. We recommend that you create the DNS record in a private DNS zone in the corresponding VPC network. This not only provides a consistent way of connecting from different networks, but is also required to use the Cloud SQL Auth proxy.

Allowed Private Service Connect projects

Allowed projects are projects associated with VPC networks and are specific to each Cloud SQL instance.

Network Admins for these projects are allowed to create Private Service Connect endpoints for an instance. If a project isn't allowlisted explicitly, then the admin can still create an endpoint for the instance, but the endpoint remains in a PENDING state.

What's next