Authorize with authorized networks

This page describes how to use the authorized networks settings for connecting to Cloud SQL instances that use IP addresses.

Configure authorized networks

Your client application's IP address or address range must be configured as authorized networks for the following conditions:

  • Your client application is connecting directly to a Cloud SQL instance on its public IP address.
  • Your client application is connecting directly to a Cloud SQL instance on its private IP address, and your client's IP address is a non-RFC 1918 address

The IP address can be either a single endpoint or consist of a range in CIDR notation.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Public IP checkbox.
  5. Click Add network.
  6. In the Name field, enter a name for a New network.
  7. In the Network* field, enter the IP address or address range you want to allow connections from.

    Use CIDR notation.

  8. Click Done.
  9. Click Save to update the instance.

gcloud

Configuring authorized networks replaces the existing authorized networks list.

gcloud sql instances patch INSTANCE_ID \
--authorized-networks=NETWORK_RANGE_1,NETWORK_RANGE_2...
    

Terraform

To configure authorized networks, use a Terraform resource.

resource "google_sql_database_instance" "default" {
  name             = "postgres-instance-with-authorized-network"
  region           = "us-central1"
  database_version = "POSTGRES_14"
  settings {
    tier = "db-custom-2-7680"
    ip_configuration {
      authorized_networks {
        name = "Network Name"
        value = "192.0.2.0/24"
        expiration_time = "3021-11-15T16:19:00.094Z"
      }
    }
  }
  deletion_protection =  "true"
}

REST v1

Configuring authorized networks replaces the existing authorized networks list.

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID
  • network_range_1 An authorized ip address or range
  • network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

REST v1beta4

Configuring authorized networks replaces the existing authorized networks list.

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID
  • network_range_1 An authorized ip address or range
  • network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

Limitations

Some IP address ranges can't be added as authorized networks.

Address range Notes
127.0.0.0/8 Loopback address range
10.0.0.0/8 RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
172.16.0.0/12 RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
172.17.0.0/16 Reserved for the Docker bridge network
192.168.0.0/16 RFC 1918 address range. These are automatically and implicitly included in the authorized networks by Cloud SQL
0.0.0.0/8 RFC 3330 null network
169.254.0.0/16 RFC 3927 and RFC 2373, link-local networks
192.0.2.0/24 RFC 3330 and RFC 3849, documentation networks
224.0.0.0/4 RFC 3330, multicast networks
240.0.0.0/4 This block, formerly known as the Class E address space, is reserved for future use; see RFC 1112, Section 4.

What's next