Configuring private IP

This page describes how to configure a Cloud SQL instance to use private IP.

For information about how private IP works, as well as environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must do the following:

  • Enable the Service Networking API for your project. If you are using a Shared VPC network, you also need to enable the Service Networking API for the host project.

  • Select a VPC network to use.

  • One-time only: Configure private services access in your VPC network to allocate an IP address range and create a private service connection. This allows resources in the VPC network to connect to Cloud SQL instances.

    • Establishing private services access requires the Network Administrator IAM role.

      After private services access is established for your network, you no longer need the Network Administrator role to configure an instance to use private IP.

    • If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance. For more information, see Private services access

Cloud SQL configures private services access for you when all of the conditions below are true:

  • You have not yet configured private services access in the Google Cloud project.
  • You are enabling private IP for the first time for any Cloud SQL instance in the Google Cloud project.
  • When enabling private IP in the instance's Connections page, you select both the default Associated networking and Use an automatically allocated IP range options.

Configuring an instance to use private IP

You can configure a Cloud SQL instance to use private IP when you create the instance, or for an existing instance.

Configuring private IP for a new instance

To configure a Cloud SQL instance to use private IP when creating an instance:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click CREATE INSTANCE
  3. In the Creation wizard, under Configuration Options, expand the Connectivity section.
  4. Select the Private IP checkbox.

    A drop-down list shows the available VPC networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  5. Select the VPC network you want to use:
  6. If you have configured private services access:

    1. Select the VPC network you want to use.
    2. Click Connect.
    3. A drop-down shows the IP address range you allocated.

    4. Click Create.
    5. Click Save.

    To let Cloud SQL allocate the range for you and create the private connection:

    1. Select the `default` VPC network.
    2. Click Allocate and connect.
    3. Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Create your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network, and the --no-assign-ip flag to disable public IP.

Unless the VPC network is a Shared VPC network, the --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

If the VPC network is a Shared VPC network, the --network parameter value is in the format projects/HOST_PROJECT_ID/global/networks/VPC_NETWORK_NAME, where HOST_PROJECT_ID is the name of the Shared VPC host project and VPC_NETWORK_NAME is the name of the Shared VPC network.

gcloud --project=[PROJECT_ID] beta sql instances create [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Configuring private IP for an existing instance

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Overview page.
  3. Select the Connections tab.
  4. Select the Private IP checkbox.

    A drop-down list shows the available networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

  5. If you have configured private services access:
    1. Select the VPN Network you want to use
    2. A drop-down shows the IP address range you allocated.

    3. Click Connect.
    4. Click Save.
  6. To let Cloud SQL allocate an IP address for you.
    1. Select the 'default' VPC network.
    2. Click Allocate and connect.
    3. Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Update your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network.

VPC_NETWORK_NAME is the name of your chosen VPC network, e.g., my-vpc-network. The --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Connecting to an instance using its Private IP

You use private services access to connect to Cloud SQL instances from Compute Engine or Google Kubernetes Engine instances in the same VPC network (defined here as internal sources) or from outside of that network (an external source).

Connecting from an internal source

To connect from a source in the same Google Cloud project as your Cloud SQL instance, such as the Cloud SQL Proxy running on a Compute Engine resource, that resource must be in the same VPC network as the Cloud SQL instance.

Connecting from an external source

To connect from a source that is not in the same Google Cloud Project as your Cloud SQL instance, you need to establish a connection between that source and your VPC network. You can do this using Cloud VPN:

  1. Create a VPN and set up VPC Network peering through a VPN tunnel.
  2. Configure your VPC network to export custom routes from your source network to your Cloud SQL VPC network over the peering connection. You need to perform this procedure for each type of database engine that you use (MySQL, PostgreSQL, and SQL Server).
  3. Console

    1. Go to the Cloud SQL Instances page in the Google Cloud Console.

      Go to the Cloud SQL Instances page

    2. Create a new instance with private IP or configure an existing instance with private IP.
    3. Verify that the network peering exists between your VPN and the Cloud SQL VPC network.
      1. Go to the VPC network peering link in the VPC network details page.
      2. Look under Name for cloudsql-postgres-googleapis-com.
    4. Verify that export is enabled for the network peering.
      1. Look under Exchange custom routes. If it says Export custom routes, go to step 4.
      2. Click the name of the peering to view the Peering connection details page.
      3. Click EDIT.
      4. Check Export custom routes.
      5. Click Save.
    5. Add a route in your source network:
      1. IP range: Add the reserved IP range. You can find this on the Routes link in the VPC network details page under Destination IP range.
      2. Next hop: Add the VPN gateway. You can find the VPN tunnel under Next hop.

    gcloud

    1. Create a new instance with private IP or configure an existing instance with private IP.
    2. Verify that export is enabled for the network peering:
      1. Export custom routes.

        gcloud beta compute networks peerings update 
        cloudsql-postgres-googleapis-com --network=[customers network]
        --export-custom-routes
    3. Add a route in your on-premise network.
      1. Destination range: Add the reserved IP range.
      2. Next hop: Add the VPN tunnel.

  4. Use the Cloud SQL Proxy or one of the other connection methods to connect to the Cloud SQL instance.

What's next