Connect your instance to multiple VPCs

This page describes how to connect to your Cloud SQL instance across transitively peered VPCs.

Cloud SQL offers the following ways to connect your Cloud SQL instance to multiple VPCs using private IP:

To learn more about your Cloud SQL instance and multiple VPCs, see Cloud SQL instance across multiple VPCs.

Connect using custom route advertisements

You can use Cloud Router to manually advertise routes between two networks that go through an intermediate VPC to connect multiple VPCs to your Cloud SQL instance. The two VPCs must be connected using a virtual private network (VPN), Cloud Interconnect , or any other Cloud Router supported network.

Custom route advertisements.

With custom route advertisements, your Cloud SQL VPC, VPC C, is connected to your main VPC, VPC A, using an intermediate VPC, VPC B. You can configure shared routes between these networks in the following ways:

  • You can use Cloud Router to manually advertise routes between two networks that go through an intermediate VPC. For more information on how to configure Cloud Router to manually advertise routes, see Transit network.

  • You can create two HA VPC gateways that connect to each other to bridge the two different VPCs and configure Cloud Router to share routes between them. For more information on how to set up HA VPC gateways, see Create HA VPC gateways to connect VPC networks.

We recommend using custom route advertisements to connect multiple VPCs to your Cloud SQL instance using Cloud Router.

Connect using an intermediate proxy (SOCKS5)

You can set up an intermediate proxy, such as SOCKS5 proxy, on an intermediate VPC along with the Cloud SQL Auth Proxy in your main VPC between the client and your Cloud SQL instance. This enables the intermediate node to forward encrypted traffic from the Cloud SQL Auth Proxy to the Cloud SQL instance.

Connecting using an intermediate proxy.

To use an intermediate proxy to connect to multiple VPCs, follow these steps:

  1. Install and configure a SOCKS5 server on your intermediate VM. An example of a SOCKS5 server is Dante.
  2. Configure the SOCKS5 server using any port to bind to your VM's ens4 network interface for both external and internal connections.
  3. Configure your VPC's firewall to allow TCP traffic from the appropriate IP address or range to the SOCKS server's configured port.
  4. Install the Cloud SQL Auth Proxy on your external client.

  5. Run the Cloud SQL Auth Proxy on your external client with the ALL_PROXY environment variable set to the intermediary VM's IP address and port set to the one used by the SOCKS server.

    ALL_PROXY=socks5://$IP_ADDRESS:$PORT cloud-sql-proxy $INSTANCE_CONNECTION_NAME

    To run this command, replace the following variables:

    • INSTANCE_CONNECTION_NAME: your Cloud SQL instance name in project:region:instance-id format.
    • IP_ADDRESS: your connection IP address. If you're connecting from a peered VPC, use the intermediary VM's internal IP address. Otherwise, use its external IP address.
    • PORT: the port used by your connection.

    For example, the following code configures the Cloud SQL Auth Proxy to connect to the instance using a SOCKS server running on the IP address 198.51.100.1 and on port 1080:.

    ALL_PROXY=socks5://198.51.100.1:1080 cloud-sql-proxy $INSTANCE_CONNECTION_NAME

The performance of a SOCKS5 proxy is dependent on the available CPU and memory. For larger setups or where more applications will be using the proxy, you may need to deploy more instances of the SOCKS5 proxy.

Connect using the Cloud SQL Auth Proxy as a service

You can install and run the Cloud SQL Auth Proxy on your intermediate VPC instead of your external client and enable secure connections by pairing it with a protocol-aware proxy, also known as a connection pooler. Examples of connection poolers include PGbouncer, or Pgpool-II(PostgreSQL only).

This connection method allows your applications to securely connect directly to the pooler using a configured SSL. The pooler passes databases queries to your Cloud SQL instance using the Cloud SQL Auth Proxy.

Connect using Private Service Connect

Private Service Connect allows you to connect to multiple VPC networks across different projects or organizations. You can use Private Service Connect to connect to either a primary instance or any of its read replicas. For more information about Private Service Connect, see Private Service Connect overview.

To connect across multiple VPCs using Private Service Connect, see Connect to an instance using Private Service Connect.