Configuring private IP

This page describes how to configure a Cloud SQL instance to use private IP.

For information about how private IP works, as well as environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must do the following:

  • Enable the Service Networking API for your project.

    If you are using a Shared VPC network, you also need to do the following:

    • Enable the Service Networking API for the host project.
    • Add your user to the host project.
    • Give your user the Network Administrator IAM role in the host project.
  • Select a VPC network to use.

  • One-time only: Configure private services access in your VPC network to allocate an IP address range and create a private service connection. This allows resources in the VPC network to connect to Cloud SQL instances.

    • Establishing private services access requires the Network Administrator IAM role.

      After private services access is established for your network, you no longer need the Network Administrator role to configure an instance to use private IP.

    • If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance. For more information, see Private services access

Cloud SQL configures private services access for you when all of the conditions below are true:

  • You have not yet configured private services access in the Google Cloud project.
  • You are enabling private IP for the first time for any Cloud SQL instance in the Google Cloud project.
  • When enabling private IP in the instance's Connections page, you select both the default Associated networking and Use an automatically allocated IP range options.

Configuring an instance to use private IP

You can configure a Cloud SQL instance to use private IP when you create the instance, or for an existing instance.

Configuring private IP for a new instance

To configure a Cloud SQL instance to use private IP when creating an instance:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click CREATE INSTANCE
  3. In the Creation wizard, under Configuration Options, expand the Connectivity section.
  4. Select the Private IP checkbox.

    A drop-down list shows the available VPC networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  5. Select the VPC network you want to use:
  6. If you have configured private services access:

    1. Select the VPC network you want to use.
    2. Click Connect.
    3. A drop-down shows the IP address range you allocated.

    4. Click Create.
    5. Click Save.

    To let Cloud SQL allocate the range for you and create the private connection:

    1. Select the `default` VPC network.
    2. Click Allocate and connect.
    3. Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Create your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network, and the --no-assign-ip flag to disable public IP.

Unless the VPC network is a Shared VPC network, the --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

If the VPC network is a Shared VPC network, the --network parameter value is in the format projects/HOST_PROJECT_ID/global/networks/VPC_NETWORK_NAME, where HOST_PROJECT_ID is the name of the Shared VPC host project and VPC_NETWORK_NAME is the name of the Shared VPC network.

gcloud --project=[PROJECT_ID] beta sql instances create [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Configuring private IP for an existing instance

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Overview page.
  3. Select the Connections tab.
  4. Select the Private IP checkbox.

    A drop-down list shows the available networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  5. If you have configured private services access:
    1. Select the VPN Network you want to use
    2. A drop-down shows the IP address range you allocated.

    3. Click Connect.
    4. Click Save.
  6. To let Cloud SQL allocate an IP address for you.
    1. Select the 'default' VPC network.
    2. Click Allocate and connect.
    3. Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Update your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network.

VPC_NETWORK_NAME is the name of your chosen VPC network, for example: my-vpc-network. The --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Connecting to an instance using its Private IP

You use private services access to connect to Cloud SQL instances from Compute Engine or Google Kubernetes Engine instances in the same VPC network (defined here as internal sources) or from outside of that network (an external source).

Connecting from an internal source

To connect from a source in the same Google Cloud project as your Cloud SQL instance, such as the Cloud SQL Proxy running on a Compute Engine resource, that resource must be in the same VPC network as the Cloud SQL instance.

Connecting from an external source

You can connect from a client in an on-premises network if the on-premises network is connected to the VPC network to which your Cloud SQL instance is connected. To permit connections from an on-premises network, do the following:

  1. Ensure your VPC network is connected to your on-premises network using a Cloud VPN tunnel or an interconnect attachment (VLAN) for Dedicated Interconnect or Partner Interconnect.
  2. Identify the peering produced by the private services connection. Note that a peering is created for each type of database engine that you use (MySQL, PostgreSQL, and SQL Server).
  3. Update the peering connection to exchange custom routes.
  4. Identify the allocated range used by the private services connection.
  5. Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

Connecting from non-RFC 1918 addresses

Connections to a Cloud SQL instance using a private IP address are automatically authorized for RFC 1918 address ranges. This way, all private clients can access the database without going through the proxy. Non-RFC 1918 address ranges must be configured as authorized networks.

To connect from a non-RFC 1918 address, you must set per-instance IP authorization to allow traffic from non-RFC 1918 address ranges.

For example, use a gcloud command like the following:

gcloud sql instances patch [INSTANCE_NAME] --authorized-networks 172.16.12.0/28,172.16.1.0/24,172.16.10.0/24,172.16.2.0/24,172.16.11.0/24,192.88.99.0/24,11.0.0.0/24

Cloud SQL doesn't learn Non-RFC 1918 subnet routes from your VPC by default. You need to update the network peering to Cloud SQL to export any Non-RFC 1918 routes. For example:

gcloud compute networks peerings update cloudsql-[mysql/postgres]-googleapis-com --network=NETWORK --export-subnet-routes-with-public-ip --project=PROJECT

What's next