Configuring private IP connectivity

This page describes how to configure a PostgreSQL instance to use private IP. For information about how private IP works, as well as environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must consider the following:

  • You must choose a VPC network to use. The Google Cloud resources you will use to connect to your Cloud SQL instance (either Compute Engine instances [VMs] or Google Kubernetes Engine instances) must use this VPC network in order to be able to connect. These resources must also be in the same region as your Cloud SQL instance.

  • Before using private IP Cloud SQL instances in a given VPC network for the first time, you need to configure private services access in the VPC network. This allows resources in the VPC network to connect to Cloud SQL instances. As part of this configuration, a range of IP addresses must be allocated for use by the Cloud SQL instances. If you wish, you may select a specific IP range to use. Otherwise, Cloud SQL will automatically allocate an unused range for you. In either case, the instructions below will help you allocate a range of IP addresses. For more information and for additional considerations, see Configuring Private Services Access.

    The IP range 172.17.0.0/16 is reserved for the Docker bridge network. Any Cloud SQL instances created with an IP in that range will be unreachable. Connections from any IP within that range to Cloud SQL instances using private IP will fail.

  • You must enable the Service Networking API for your project.

    The Service Networking API is used to establish private services access.

Configuring an instance to use private IP at creation time

You can configure a Cloud SQL instance to use private IP when you create the instance.

To configure a new instance to use private IP:

Console

  1. In the Creation wizard, under Configuration Options, expand the Connectivity section.
  2. Select the Private IP checkbox.

    The drop-down list shows the available networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  3. Select the network where the resources you want to connect from are located.
  4. If you previously configured private services access for Cloud SQL in this VPC network, you are done. Select instance settings and create the instance.
  5. If this network does not have a range of IP addresses allocated to it for private services access, do one of the following:
    • Click Allocate and connect to let Cloud SQL allocate the range for you and create the private connection. You are done; select instance settings and create the instance.
    • Refer to the instructions for configuring private services access for Cloud SQL below. When finished, proceed with choosing instance settings and creating the instance.
  6. If one or more allocated IP ranges exist for your network, and you haven't yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Proceed with choosing instance settings and creating the instance.

gcloud

Follow the instructions below for configuring private services access for Cloud SQL if you have not previously done so in this VPC network. Create your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network, and the --no-assign-ip flag to disable public IP. 
gcloud --project=[PROJECT_ID] beta sql instances create [INSTANCE-ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip
VPC_NETWORK_NAME is the name of your chosen VPC network, e.g., my-vpc-network. If this is a Shared VPC network, you must supply the fully qualified name, of the form projects/HOST_PROJECT_NAME/global/networks/NETWORK_NAME, where you have replaced HOST_PROJECT_NAME with the name of the Shared VPC host project and NETWORK_NAME with the name of the Shared VPC network.

Configuring an existing instance to use private IP

You can configure an existing Cloud SQL instance to use private IP.

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Overview page.
  3. Select the Connections tab.
  4. Select the Private IP checkbox.

    The drop-down list shows the available networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  5. Select the network where the resources you want to connect from are located.
  6. If you previously configured private services access for Cloud SQL in this VPC network, you are done; click Save to update the instance.
  7. If this network does not have a range of IP addresses allocated to it for private services access, do one of the following:
    1. Click Allocate and connect to let Cloud SQL allocate the range for you and create the private connection. You are done; click Save to update the instance.
    2. Refer to the instructions for configuring private services access for Cloud SQL below. Then click Save to update this instance.
  8. If one or more allocated IP ranges exist for your network, and you haven't yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Then click Save to update the instance.

gcloud

Follow the instructions below for configuring private services access for Cloud SQL if you have not previously done so in this VPC network. Update your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network. 
gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE-ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip
VPC_NETWORK_NAME is the name of your chosen VPC network, e.g., my-vpc-network. If this is a Shared VPC network, you must supply the fully qualified name, of the form projects/HOST_PROJECT_NAME/global/networks/NETWORK_NAME, where you have replaced HOST_PROJECT_NAME with the name of the Shared VPC host project and NETWORK_NAME with the name of the Shared VPC network.

Configuring private services access for Cloud SQL

This section provides instructions for configuring private services access in your VPC network without creating a Cloud SQL instance. In many cases, Cloud SQL can do this automatically when you launch an instance. However, these manual instructions may be useful if:

  • You wish to control the size of the IP address range that is allocated. For example, if you anticipate creating a large number of Cloud SQL instances, you might choose in advance to allocate an IP range that can hold them all.

  • You wish to set up private services access from the command line (using gcloud).

  • You are using Shared VPC and your organization administrator has delegated network administrative responsibilities to a Network Admin in the host project. The Network Admin can perform the steps below in the host project to configure private services access. Subsequently, users who have been delegated privileges in the service project(s) can freely launch Cloud SQL instances by following the instructions in the sections above. Those users need only be granted Network User privileges in the host project.

You only need to perform these steps once per VPC network. For more information and for additional considerations, see Configuring Private Services Access.

There are two parts to this process:

  • Allocating an IP address range.
  • Creating a private connection from your VPC network to the service producer network (where Cloud SQL instances will reside).

Allocating an IP address range

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you wish to use.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Allocated IP ranges for services tab.
  5. Click Allocated IP range.
  6. For the Name of the allocated range, specify google-managed-services-VPC_NETWORK_NAME, where VPC_NETWORK_NAME is the name of the VPC network you are connecting (for example, google-managed-services-default). You may leave the Description blank.

  7. Specify an IP range for the allocation:

    • To specify an IP address range, select Custom and then enter a CIDR block, such as 192.168.0.0/16.
    • To specify a prefix length and let Google select an available range, select Automatic and then enter a prefix length, such as 16.

  8. Click Allocate to create the allocated range.

gcloud

Do one of the following:

  • To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
    --global \
    --purpose=VPC_PEERING \
    --addresses=192.168.0.0 \
    --prefix-length=16 \
    --network=[VPC_NETWORK_NAME]

  • To specify just a prefix length (subnet mask), just use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --network=[VPC_NETWORK_NAME]

Replace [VPC_NETWORK_NAME] with the name of your VPC network, such as my-vpc-network.

The following example allocates an IP range that allows resources in the VPC network my-vpc-network to connect to Cloud SQL instances using private IP.

gcloud compute addresses create google-managed-services-my-vpc-network \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --network=my-vpc-network \
    --project=my-project

Creating a private connection

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you wish to use.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Private connections to services tab.
  5. Click Create connection to create a private connection between your network and a service producer.
  6. For the Assigned allocation, select one or more existing allocated ranges that are not being used by other service producers.
  7. Click Connect to create the connection.

gcloud

  1. Create a private connection.

    gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=google-managed-services-[VPC_NETWORK_NAME] \
    --network=[VPC_NETWORK_NAME] \
    --project=[PROJECT_ID]

    Replace [VPC_NETWORK_NAME] with the name of your VPC network and [PROJECT_ID] with the ID of the project that contains your VPC network.

    The command initiates a long-running operation, returning an operation name.

  2. Check whether the operation was successful.

    gcloud services vpc-peerings operations describe \
    --name=[OPERATION_NAME]

    Replace [OPERATION_NAME] with the operation name that was returned from the previous step.

You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all of the provided ranges in the order that you specified.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud SQL for PostgreSQL
Product feedback
Need help? Visit our support page.