Configuring public IP connectivity

MySQL | PostgreSQL | SQL Server

This page describes how to configure public IP connectivity for a Cloud SQL instance.

Introduction

You can configure your Cloud SQL instance to have a public IPv4 address, and to accept connections from specific IP addresses or a range of addresses by adding authorized addresses to your instance.

You can't specify a private network (for example, 10.x.x.x) as an authorized network.

Public IP addresses for MySQL instances:

IPv6: Instances do not support IPv6.
IPv4: Instances have a static IPv4 address automatically assigned. There is a small charge for the IP address any time your instance is off (deactivated).

For help with connecting an administration client to your instance over an IP connection, see Connecting mysql Client using IP addresses.

If you configure your instance to accept connections using its public IP address, also configure it to use SSL to keep your data secure. For more information, see Configure SSL for Instances.

To configure your instance with an IP address that is not exposed to the public internet, see Configuring Private IP Connectivity.

Enabling public IP and adding an authorized address or address range

When you enable public IP for your instance, Cloud SQL configures the instance with a public, static IPv4 address. After you enable public IP, you must set up authorization for database connections. See the Authorization options for more information.

To enable public IP and add an authorized address:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click the instance name to open its Instance details page.
Select the Connections tab.
Select the Public IP checkbox.
Click Add network.
In the Network field, enter the IP address or address range you want to allow connections from.
Use CIDR notation.
Optionally, enter a name for this entry.
Click Done.
Click Save to update the instance.

gcloud

If you haven't already, add an IPv4 address to the instance:
```
gcloud sql instances patch [INSTANCE_NAME] --assign-ip
```
Show all existing authorized addresses by describing the instance:
```
gcloud sql instances describe [INSTANCE_NAME]
```
Look for authorizedNetwork entries under ipConfiguration, and note any authorized addresses you want to keep.
Update the authorized network list, including all addresses you want included.
```
gcloud sql instances patch [INSTANCE_NAME] --authorized-networks=[IP_ADDR1],[IP_ADDR2]...
```
Use CIDR notation.

Confirm your changes:

gcloud sql instances describe [INSTANCE_NAME]

To remove all authorized networks, use the following command:

  gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks

REST v1beta4

Show all existing authorized addresses by describing the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The command below assumes that you have used either gcloud init or gcloud auth login to authenticate gcloud with your user account. You can check the currently active account by executing gcloud auth list.

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks": [],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

Update the instance, including all addresses you want set on the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
network_range_1 An authorized ip address or range
network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method PATCH `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Use CIDR notation.

Confirm your changes:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
ip-address1: The CIDR form of the first IP address
ip-address-name1: The name of the first IP address
ip-address2: The CIDR form of the second IP address
ip-address-name2: The name of the second IP address
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type4",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks":
      [
        {
          "value": "ip-address1",
          "name": "ip-address-name1",
          "kind": "sql#aclEntry"
        },
        {
          "value": "ip-address2",
          "name": "ip-address-name2",
          "kind": "sql#aclEntry"
        }
      ],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

To remove all authorized networks, use the following command:

  gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks

Removing an authorized address or address range

To remove an authorized address:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click the instance name to open its Instance details page.
Select the Connections tab.
Click the delete icon for the address you want to delete.
Click Save to update the instance.

gcloud

Show all existing authorized addresses by describing the instance:
```
gcloud sql instances describe [INSTANCE_NAME]
```
Look for authorizedNetwork entries under ipConfiguration, and note any authorized addresses you want to keep.

Update the authorized network list, dropping off any addresses you want to remove.

gcloud sql instances patch [INSTANCE_NAME] --authorized-networks=[IP_ADDR1],[IP_ADDR2]...

Confirm your changes:

gcloud sql instances describe [INSTANCE_NAME]

REST v1beta4

Show all existing authorized addresses by describing the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
ip-address1: The CIDR form of the first IP address
ip-address-name1: The name of the first IP address
ip-address2: The CIDR form of the second IP address
ip-address-name2: The name of the second IP address
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type4",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks":
      [
        {
          "value": "ip-address1",
          "name": "ip-address-name1",
          "kind": "sql#aclEntry"
        },
        {
          "value": "ip-address2",
          "name": "ip-address-name2",
          "kind": "sql#aclEntry"
        }
      ],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

Update the instance, by including all the addresses you want to keep and dropping off any addresses you want to remove:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
network_range_1 The authorized IP address or network range to remove

HTTP method and URL:

PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}]
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method PATCH `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Confirm your changes:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
ip-address: The CIDR form of the IP address
ip-address-name: The name of the IP address
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks":
      [
        {
          "value": "ip-address",
          "name": "ip-address-name",
          "kind": "sql#aclEntry"
        }
      ],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

To remove all authorized networks, use the following command:

  gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks

Configuring an instance to refuse all public IP connections

To configure an instance to refuse all public IP connections:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click the instance name to open its Instance details page.
Select the Connections tab.
Click the delete icon for all authorized addresses.
Click Save to update the instance.

gcloud

Clear the authorized address list:

gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks

Confirm your changes:

gcloud sql instances describe [INSTANCE_NAME]

REST v1beta4

Show all existing authorized addresses by describing the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
ip-address1: The CIDR form of the first IP address
ip-address-name1: The name of the first IP address
ip-address2: The CIDR form of the second IP address
ip-address-name2: The name of the second IP address
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type4",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks":
      [
        {
          "value": "ip-address1",
          "name": "ip-address-name1",
          "kind": "sql#aclEntry"
        },
        {
          "value": "ip-address2",
          "name": "ip-address-name2",
          "kind": "sql#aclEntry"
        }
      ],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

Update the instance with an empty address list:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks": []
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method PATCH `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Confirm your changes:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks": [],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

To remove all authorized networks, use the following command:

  gcloud sql instances patch [INSTANCE_NAME] --clear-authorized-networks

Disabling public IP

You can disable public IP, but only if your instance is also configured to use Private IP. To enable private IP, see Configuring an existing instance to use private IP.

To disable public IP:

Console

Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page
Click the instance name to open its Instance details page.
Select the Connections tab.
Deselect the Public IP checkbox.
Click Save to update the instance.

gcloud

Update the instance:

gcloud sql instances patch [INSTANCE_NAME] --no-assign-ip

Confirm your changes:

gcloud sql instances describe [INSTANCE_NAME]

REST v1beta4

Show all existing authorized addresses by describing the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
ip-address1: The CIDR form of the first IP address
ip-address-name1: The name of the first IP address
ip-address2: The CIDR form of the second IP address
ip-address-name2: The name of the second IP address
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type4",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks":
      [
        {
          "value": "ip-address1",
          "name": "ip-address-name1",
          "kind": "sql#aclEntry"
        },
        {
          "value": "ip-address2",
          "name": "ip-address-name2",
          "kind": "sql#aclEntry"
        }
      ],
      "ipv4Enabled": true
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

Update the instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration": {"ipv4Enabled": false}
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method PATCH `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Confirm your changes:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
machine-type The instance machine type
zone The instance zone

HTTP method and URL:

GET  https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
 https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri " https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=settings" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "settings":
  {
    "authorizedGaeApplications": [],
    "tier": "machine-type",
    "kind": "sql#settings",
    "availabilityType": "REGIONAL",
    "pricingPlan": "PER_USE",
    "replicationType": "SYNCHRONOUS",
    "activationPolicy": "ALWAYS",
    "ipConfiguration":
    {
      "privateNetwork": "projects/project-id/global/networks/default",
      "authorizedNetworks": [],
      "ipv4Enabled": false
    },
    "locationPreference":
    {
      "zone": "zone",
      "kind": "sql#locationPreference"
    },
    "dataDiskType": "PD_SSD",
    "maintenanceWindow":
    {
      "kind": "sql#maintenanceWindow",
      "hour": 0,
      "day": 0
    },
    "backupConfiguration":
    {
      "startTime": "03:00",
      "kind": "sql#backupConfiguration",
      "enabled": true,
      "binaryLogEnabled": true
    },
    "settingsVersion": "54",
    "storageAutoResizeLimit": "0",
    "storageAutoResize": true,
    "dataDiskSizeGb": "10"
  }
}

Troubleshooting

Click the links in the table for details:

For this problem...	The issue might be...	Try this...
`Aborted connection`.	Error reading packets or connection aborted.	See these things to try.
`Unauthorized to connect` errors.	There can be many root causes.	See these things to try.
Network association failed.	`Service Networking API` is not enabled in the project.	Enable the `Service Networking API` in the project.
`Remaining connection slots are reserved`.	The maximum number of connections has been reached.	Increase the `max_connections` flag.
`Set Service Networking service account as servicenetworking.serviceAgent role on consumer project`.	The Service Networking service account is not bound to the `servicenetworking.serviceAgent` role.	Bind the Service Networking service account to the `servicenetworking.serviceAgent` role.
`error x509: certificate is not valid for any names, but wanted to match project-name:db-name`.	Known issue: The Cloud SQL Proxy Dialer is not compatible with Go 1.15 at this time.	Until fixed, see this discussion on GitHub, which includes a workaround.
Cannot parse certificates in some operating systems.	Clients using x509 libraries from mac OS 11.0 (Big Sur) may fail to parse some certificates of mysql instances. This may be surfaced to the client as a generic error, like "cancelled".	The workaround is to rotate the server certificate and recreate client certificates.
`Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection`.	VPC peerings were not updated after an allocated range was modified or removed.	See Things to try for VPC peering update details.
`Allocated IP range not found in network`.	VPC peerings were not updated after an allocated range was modified or removed.	See Things to try for VPC peering update details.

Aborted connection

You see the error message Got an error reading communication packets , or Aborted connection xxx to db: DB_NAME.

The issue might be

Networking instability.
No response to TCP keep-alive commands (either the client or the server is not responsive, possibly overloaded).
The database engine connection lifetime was exceeded and the server ends the connection.

Things to try

Applications must tolerate network failures and follow best practices such as connection pooling and retrying. Most connection poolers catch these errors where possible. Otherwise the application must either retry or fail gracefully.

For connection retry, we recommend the following methods:

Exponential backoff. Increase the time interval between each retry, exponentially.
Add randomized backoff also.

Combining these methods helps reduce throttling.

Unauthorized to connect

You see the error message Unauthorized to connect.

The issue might be

There can be many causes, as authorization occurs at many levels.

At the database level, the database user must exist and its password must match.
At the project level, the user may lack the correct IAM permissions.
At the Cloud SQL level, the root cause can depend on how you connect to your instance. If you are connecting directly to an instance through the public IP, the connection's source IP must be in the authorized network of the instance.

Private IP connectivity is allowed by default, except when you are connecting from a non-RFC 1918 address. Non-RFC 1918 client addresses must be configured as authorized networks.

Cloud SQL doesn't learn Non-RFC 1918 subnet routes from your VPC by default. You need to update the network peering to Cloud SQL to export any Non-RFC 1918 routes. For example:
```
gcloud compute networks peerings update cloudsql-mysql-googleapis-com --network=NETWORK --export-subnet-routes-with-public-ip --project=PROJECT
```
If you are connecting through the Cloud SQL Proxy, ensure that the IAM permissions are set up correctly.
At the network level, if the Cloud SQL instance is using public IP, the connection's source IP must be in an authorized network.

Things to try

Check the username and password.
Check the user's IAM roles and permissions.
If using public IP, make sure the source is in the authorized networks.

Network association failed

You see the error message Error: Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project.

The issue might be

The Service Networking API is not enabled in the project.

Things to try

Enable the Service Networking API in your project. If you see this error when you are trying to assign a private IP address to a Cloud SQL instance, and you are using a shared VPC, you also need to enable the Service Networking API for the host project.

Remaining connection slots are reserved

You see the error message FATAL: remaining connection slots are reserved for non-replication superuser connections.

The issue might be

The maximum number of connections has been reached.

Things to try

Edit the max_connections flag value.

Set Service Networking service account as servicenetworking.serviceAgent role on consumer project

You see the error message set Service Networking service account as servicenetworking.serviceAgent role on consumer project..

The issue might be

Service Networking service account is not bound to the servicenetworking.serviceAgent role.

Things to try

To mitigate this issue, try using these gcloud commands to bind the Service Networking service account to the servicenetworking.serviceAgent role.

gcloud beta services identity create --service=servicenetworking.googleapis.com --project=project-id

gcloud projects add-iam-policy-binding project-id --member="serviceAccount:service-project-number@service-networking.iam.gserviceaccount.com" --role="roles/servicenetworking.serviceAgent"

Error x509: certificate is not valid for any names

You see the error message error x509: certificate is not valid for any names, but wanted to match project-name:db-name

The issue might be ...

Known issue: The Cloud SQL Proxy Dialer is not compatible with Go 1.15 at this time.

Things to try

Until the bug is fixed, see this discussion on GitHub, which includes a workaround.

Cannot parse certificates in some operating systems

When you use x509 libraries from mac OS 11.0 (Big Sur), you may fail to parse the certificates of mysql instances. This may be surfaced as a generic error, like "cancelled."

Things to try

The bug is fixed and the new instances won't hit this problem. For old instances hitting this problem, rotate the server certificate and recreate client certificates.

Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection

You see the error message Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection, or The operation "operations/1234" resulted in a failure "Allocated IP range 'xyz' not found in network.

The issue might be ...

A private service connection was modified. For example, when a range was reserved and then removed, the private connection is also removed. You get the first error when you attempt to make a connection using a different reserved range without first recreating the private connection. You see the second error when the allocated range was modified but vpc-peerings was not updated.

Things to try

You need to recreate or update the private connection. Use the following command, and make sure to use the --force argument:

gcloud services vpc-peerings update --network=VPC_NETWORK --ranges=ALLOCATED_RANGES --service=servicenetworking.googleapis.com --force

What's next

Set up authorization for database connections. Learn more in the Authorization options
Create and manage SSL keys for your instance.
Connect an administration client to your instance.
Connect to your instance from an external application.