This page describes how to use the authorized networks settings for connecting to Cloud SQL instances that use IP addresses.
Introduction
When connecting to a Cloud SQL instance there are two considerations:
- Connection options determine which networking path you use to connect.
- Authentication options determine who is allowed to connect.
When you first create a Cloud SQL instance, the default setting is to assign a public IP address to the instance. If you accept that option, you can find the IP address on the Instances Overview page. From there, click the instance name.
Even if your instance has only a public IP address, you can connect to it securely by using the Cloud SQL Auth proxy. All traffic between the Cloud SQL Auth proxy and your Cloud SQL instance is encrypted. If you don't use the proxy, and you are connecting your client from your own public IP address, you need to add your client's public address as an authorized network.
Configuring authorized networks
Your client application's IP address or address range must be configured as
authorized networks
for the following conditions:
- Your client application is connecting directly to a Cloud SQL instance on its public IP address.
- Your client application is connecting directly to a Cloud SQL instance on its private IP address, and your client's IP address is a non-RFC 1918 address
The IP address can be either a single endpoint or consist of a range in CIDR notation.
Console
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click the instance name to open its Instance details page.
- Select the Connections page from the left side menu.
- Select the Public IP checkbox.
- Click ADD NETWORK.
- In the Name field, enter a name for the New Network.
- In the Network* field, enter the IP address or address
range you want to allow connections from.
Use CIDR notation.
- Click Done.
- Click Save to update the instance.
gcloud
Configuring authorized networks replaces the existing authorized networks list.
gcloud sql instances patch [INSTANCE_ID] --authorized-networks=[NETWORK_RANGE_1],[NETWORK_RANGE_2]...
REST v1beta4
Configuring authorized networks replaces the existing authorized networks list.
Before using any of the request data below, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- network_range_1 An authorized ip address or range
- network_range_2 Another authorized ip address or range
HTTP method and URL:
PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "ipConfiguration": { "authorizedNetworks": [{"value": "network_range_1"}, {"value": network_range_2"}] } } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
Limitations
Some IP address ranges can't be added as authorized networks.
Address range | Notes |
---|---|
127.0.0.0/8 | Loopback address range |
10.0.0.0/8 | RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL |
172.16.0.0/12 | RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL |
192.168.0.0/16 | RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL |
0.0.0.0/8 | RFC 3330 null network |
169.254.0.0/16 | RFC 3927 and RFC 2373, link-local networks |
192.0.2.0/24 | RFC 3330 and RFC 3849, documentation networks |
224.0.0.0/4 | RFC 3330 and IPv6 multicast networks |
240.0.0.0/4 | This block, formerly known as the Class E address space, is reserved for future use; see RFC 1112, Section 4. |
What's next
Learn more about instance access control.
Configure your instance to use SSL/TLS.
Connect to your instance with the psql client using SSL/TLS.