Authorizing with authorized networks

This page describes how to use the authorized networks settings for connecting to Cloud SQL instances that use IP addresses.

Introduction

When connecting to a Cloud SQL instance there are two considerations:

  • Connection options determine which networking path you use to connect.
  • Authentication options determine who is allowed to connect.

When you first create a Cloud SQL instance, the default setting is to assign a public IP address to the instance. If you accept that option, you can find the IP address on the Instances Overview page. From there, click the instance name.

Even if your instance has only a public IP address, you can connect to it securely by using the Cloud SQL Proxy. All traffic between the Cloud SQL Proxy and your Cloud SQL instance is encrypted. If you don't use the proxy, and you are connecting your client from your own public IP address, you need to add your client's public address as an authorized network.

Configuring authorized networks

If your client application is connecting directly to a Cloud SQL instance on its public IP address, you have to add your client's external address as an Authorized network. The IP address can be either a single endpoint or consist of a range in CIDR format.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the Connections tab.
  4. Click Add network.
  5. In the Network field, enter the IP address or address range you want to allow connections from.

    Use CIDR notation.

  6. Optionally, enter a name for this entry.
  7. Click Done.
  8. Click Save to update the instance.

gcloud

Configure authorized networks:

gcloud sql instances patch [INSTANCE_ID] --authorized-networks=[NETWORK_RANGE_1],[NETWORK_RANGE_2]...
    

REST

Before using any of the request data below, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID
  • network_range_1 An authorized ip address or range
  • network_range_2 Another authorized ip address or range

HTTP method and URL:

PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings":
  {
    "ipConfiguration":
    {
      "authorizedNetworks":
        [{"value": "network_range_1"}, {"value": network_range_2"}]
    }
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

What's next