Authorize with authorized networks

MySQL | PostgreSQL | SQL Server

This page describes how to use the authorized networks settings for connecting to Cloud SQL instances that use IP addresses.

Configure authorized networks

Your client application's IP address or address range must be configured as authorized networks for the following conditions:

Your client application is connecting directly to a Cloud SQL instance on its public IP address.
Your client application is connecting directly to a Cloud SQL instance on its private IP address, and your client's IP address is a non-RFC 1918 address

The IP address can be either a single endpoint or consist of a range in CIDR notation.

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Public IP checkbox.
Click Add network.
In the Name field, enter a name for a New network.
In the Network* field, enter the IP address or address range you want to allow connections from.
Use CIDR notation.
Click Done.
Click Save to update the instance.

gcloud

Configuring authorized networks replaces the existing authorized networks list.

gcloud sql instances patch INSTANCE_ID \
--authorized-networks=NETWORK_RANGE_1,NETWORK_RANGE_2...

Terraform

To configure authorized networks, use a Terraform resource.

cloud_sql/postgres_instance_authorized_network/main.tf

View on GitHub Feedback

resource "google_sql_database_instance" "default" {
  name             = "postgres-instance-with-authorized-network"
  region           = "us-central1"
  database_version = "POSTGRES_14"
  settings {
    tier = "db-custom-2-7680"
    ip_configuration {
      authorized_networks {
        name            = "Network Name"
        value           = "192.0.2.0/24"
        expiration_time = "3021-11-15T16:19:00.094Z"
      }
    }
  }
  deletion_protection = false # set to true to prevent destruction of the resource
}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

Launch Cloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.

You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module).

In Cloud Shell, create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.
```
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.

Copy the sample code into the newly created main.tf.

Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the -upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and entering yes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Delete the changes

To delete your changes, do the following:

To disable deletion protection, in your Terraform configuration file set the deletion_protection argument to false.
```
deletion_protection =  "false"
```
Apply the updated Terraform configuration by running the following command and entering yes at the prompt:
```
terraform apply
```

Remove resources previously applied with your Terraform configuration by running the following command and entering yes at the prompt:
```
terraform destroy
```

REST v1

Configuring authorized networks replaces the existing authorized networks list.

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
network_range_1 An authorized ip address or range
network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": "network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by executing gcloud init or gcloud auth login, or by using Cloud Shell, which automatically logs you into the gcloud CLI. You can check the currently active account by executing gcloud auth list.

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id"

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

REST v1beta4

Configuring authorized networks replaces the existing authorized networks list.

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
network_range_1 An authorized ip address or range
network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": "network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id"

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-21T22:43:37.981Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Limitations

Some IP address ranges can't be added as authorized networks.

Address range	Notes
127.0.0.0/8	Loopback address range
10.0.0.0/8	RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
172.16.0.0/12	RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
192.168.0.0/16	RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
0.0.0.0/8	RFC 3330 null network
169.254.0.0/16	RFC 3927 and RFC 2373, link-local networks
192.0.2.0/24	RFC 3330 and RFC 3849, documentation networks
224.0.0.0/4	RFC 3330, multicast networks
240.0.0.0/4	This block, formerly known as the Class E address space, is reserved for future use; see RFC 1112, Section 4.

What's next

Learn more about instance access control.
Configure your instance to use SSL/TLS.
Connect to your instance with the psql client using SSL/TLS.