This page contains information and examples for connecting to a Cloud SQL instance from a service running in Cloud Run functions.
For step-by-step instructions on running a Cloud Run functions sample web application connected to Cloud SQL, see the quickstart for connecting from Cloud Run functions.
Cloud SQL is a fully-managed database service that helps you set up, maintain, manage, and administer your relational databases in the cloud.
Cloud Run functions is a lightweight compute solution for developers to create single-purpose, standalone functions that respond to Cloud events without the need to manage a server or runtime environment.
Set up a Cloud SQL instance
- Enable the Cloud SQL Admin API in the Google Cloud project that you are connecting from, if you
haven't already done so:
- Create a Cloud SQL
for MySQL instance. We recommend that you choose a Cloud SQL
instance location in the same region as your Cloud Run service for better latency, to avoid some networking costs, and to reduce
cross region failure risks.
By default, Cloud SQL assigns a public IP address to a new instance. You also have the option to assign a private IP address. For more information about the connectivity options for both, see the Connecting Overview page.
Configure Cloud Run functions
The steps to configure Cloud Run functions depend on the type of IP address that you assigned to your Cloud SQL instance.Public IP (default)
To configure Cloud Run functions to enable connections to a Cloud SQL instance:
- Confirm that the instance created above has a public IP address. You can confirm this on the Overview page for the instance in the Google Cloud console. If you need to add a public IP address, see Configure public IP.
- Get the instance's INSTANCE_CONNECTION_NAME. This value is
available:
- On the Overview page for the instance, in the Google Cloud console, or
- By running the following command:
gcloud sql instances describe [INSTANCE_NAME]
-
Configure the service account for your function. If the authorizing
service account belongs to a different project from the Cloud SQL
instance, enable the Cloud SQL Admin API, and add the IAM permissions listed
below, on both projects. Confirm that the
service account has the appropriate
Cloud SQL roles
and permissions to connect to Cloud SQL.
- To connect to Cloud SQL, the service account needs one of the
following
IAM roles:
Cloud SQL Client
(preferred)Cloud SQL Editor
Cloud SQL Admin
cloudsql.instances.connect
cloudsql.instances.get
- To connect to Cloud SQL, the service account needs one of the
following
IAM roles:
- If you're using
Cloud Run functions and not Cloud Run functions (1st gen), the
following are required (also see
Configure Cloud Run):
- Initially deploy your function.
When you first begin creating a Cloud Run function in the Google Cloud console, the underlying Cloud Run service hasn't been created yet. You can't configure a Cloud SQL connection until that service is created (by deploying the Cloud Run function). - In the Google Cloud console, in the upper right of the Function details page, under Powered by Cloud Run, click the link to access the underlying Cloud Run service.
- On the Cloud Run Service details page, select the Edit and deploy new revision tab.
- Follow the
standard steps
(as in the case of any configuration
change) for setting a new configuration for a Cloud SQL connection.
This creates a new Cloud Run revision, and subsequent revisions automatically receive this Cloud SQL connection, unless you explicitly change it.
- Initially deploy your function.
Private IP
If the authorizing service account belongs to a different project than the one containing the Cloud SQL instance, do the following:
- In both projects, enable the Cloud SQL Admin API.
- For the service account in the project that contains the Cloud SQL instance, add the IAM permissions.
- Make sure that the Cloud SQL instance created previously has a private IP address. If you need to add one, see Configure private IP for instructions.
- Create a Serverless VPC Access connector in the same VPC network as your Cloud SQL instance. Note the following conditions:
- Unless you're using Shared VPC, your connector must be in the same project and region as the resource that uses it, but it can send traffic to resources in different regions.
- Serverless VPC Access supports communication to VPC networks connected using Cloud VPN and VPC Network Peering.
- Serverless VPC Access doesn't support legacy networks.
- Configure Cloud Run functions to use the connector.
- Connect using your instance's private IP address and port
3306
.
Connect to Cloud SQL
After you configure Cloud Run functions, you can connect to your Cloud SQL instance.
Public IP (default)
For public IP paths, Cloud Run functions provides encryption and connects using the Cloud SQL Auth Proxy in two ways:
- Through Unix sockets
- By using a Cloud SQL connector
Private IP
For private IP paths, your application connects directly to your instance through a VPC network. This method uses TCP to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.
Connect with TCP
Connect using the private IP address of your Cloud SQL instance as the host and port 3306
.
Python
To see this snippet in the context of a web application, view the README on GitHub.
Java
To see this snippet in the context of a web application, view the README on GitHub.
Note:
- INSTANCE_CONNECTION_NAME should be represented as <MY-PROJECT>:<INSTANCE-REGION>:<INSTANCE-NAME>
- Using the argument ipTypes=PRIVATE will force the SocketFactory to connect with an instance's associated private IP
- See the JDBC socket factory version requirements for the pom.xml file here .
Node.js
To see this snippet in the context of a web application, view the README on GitHub.
Go
To see this snippet in the context of a web application, view the README on GitHub.
PHP
To see this snippet in the context of a web application, view the README on GitHub.
Best practices and other information
You can use the Cloud SQL Auth Proxy when testing your application locally. See the quickstart for using the Cloud SQL Auth Proxy for detailed instructions.
Connection Pools
Connections to underlying databases may be dropped, either by the database server itself, or by the infrastructure underlying Cloud Run functions. We recommend using a client library that supports connection pools that automatically reconnect broken client connections. Additionally, we recommend using a globally scoped connection pool to increase the likelihood that your function reuses the same connection for subsequent invocations of the function, and closes the connection naturally when the instance is evicted (auto-scaled down). For more detailed examples on how to use connection pools, see Managing database connections.Connection Limits
Cloud SQL imposes a maximum limit on concurrent connections, and these limits may vary depending on the database engine chosen (see Cloud SQL Quotas and Limits). It's recommended to use a connection with Cloud Run functions, but it is important to set the maximum number of connections to 1.Where possible, you should take care to only initialize a connection pool for functions that need access to your database. Some connection pools will create connections preemptively, which can consume excess resources and count towards your connection limits. For this reason, it's recommended to use Lazy Initialization to delay the creation of a connection pool until needed, and only include the connection pool in functions where it's used.
For more detailed examples on how to limit the number of connections, see Managing database connections.
API Quota Limits
Cloud Run functions provides a mechanism that connects using the Cloud SQL Auth Proxy, which uses the Cloud SQL Admin API. API quota limits apply to the Cloud SQL Auth Proxy. The Cloud SQL Admin API quota used is approximately two times the number of Cloud SQL instances configured times the total number of functions deployed. You can set the number of max concurrent invocations to modify the expected API quota consumed. Cloud Run functions also imposes rate limits on the number of API calls allowed per 100 seconds.
What's next
- Learn more about Cloud Run functions.
- Learn more about deploying Cloud Run functions.
- Learn more about specifying triggers for Cloud Run functions.
- Learn more about configuring Cloud Run functions.