Configuring private IP

This page describes how to configure a Cloud SQL instance to use private IP.

For information about how private IP works, as well as environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must do the following:

• Enable the Service Networking API for your project. If you are using a Shared VPC network, you also need to enable the Service Networking API for the host project.

• Select a VPC network to use.

• One-time only: Configure private services access in your VPC network to allocate an IP address range and create a private service connection. This allows resources in the VPC network to connect to Cloud SQL instances.

  • Establishing private services access requires the Network Administrator IAM role.

    After private services access is established for your network, you no longer need the Network Administrator role to configure an instance to use private IP.

  • If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance. For more information, see Private services access

Cloud SQL configures private services access for you when all of the conditions below are true:

• You have not yet configured private services access in the Google Cloud project.
• You are enabling private IP for the first time for any Cloud SQL instance in the Google Cloud project.
• When enabling private IP in the instance's Connections page, you select both the default Associated networking and Use an automatically allocated IP range options.

Configuring an instance to use private IP

You can configure a Cloud SQL instance to use private IP when you create the instance, or for an existing instance.

Configuring private IP for a new instance

To configure a Cloud SQL instance to use private IP when creating an instance:

gcloud --project=[PROJECT_ID] beta sql instances create [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Configuring private IP for an existing instance

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Connecting to an instance using its Private IP

You use private services access to connect to Cloud SQL instances from Compute Engine or Google Kubernetes Engine instances in the same VPC network (defined here as internal sources) or from outside of that network (an external source).

Connecting from an internal source

To connect from a source in the same Google Cloud project as your Cloud SQL instance, such as the Cloud SQL Proxy running on a Compute Engine resource, that resource must be in the same VPC network as the Cloud SQL instance.

Connecting from an external source

To connect from a source that is not in the same Google Cloud Project as your Cloud SQL instance, you need to establish a connection between that source and your VPC network. You can do this using Cloud VPN:

1. Create a VPN and set up VPC Network peering through a VPN tunnel.
   • Step-by-step instructions for an on-premises source are on this Cloud VPN how-to page.
   • Step-by-step instructions for a source in a different Google Cloud project are on this other Cloud VPN how-to page.
2. Configure your VPC network to export custom routes from your source network to your Cloud SQL VPC network over the peering connection. You need to perform this procedure for each type of database engine that you use (MySQL, PostgreSQL, and SQL Server).

Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console.

   Go to the Cloud SQL Instances page

2. Create a new instance with private IP or configure an existing instance with private IP.
3. Verify that the network peering exists between your VPN and the Cloud SQL VPC network.
   1. Go to the VPC network peering link in the VPC network details page.
   2. Look under Name for cloudsql-postgres-googleapis-com.
4. Verify that export is enabled for the network peering.
   1. Look under Exchange custom routes. If it says Export custom routes, go to step 4.
   2. Click the name of the peering to view the Peering connection details page.
   3. Click EDIT.
   4. Check Export custom routes.
   5. Click Save.
5. Add a route in your source network:
   1. IP range: Add the reserved IP range. You can find this on the Routes link in the VPC network details page under Destination IP range.
   2. Next hop: Add the VPN gateway. You can find the VPN tunnel under Next hop.

gcloud

1. Create a new instance with private IP or configure an existing instance with private IP.
2. Verify that export is enabled for the network peering:
   1. Export custom routes.

      gcloud beta compute networks peerings update 
      
      cloudsql-postgres-googleapis-com --network=[customers network] 
      
                                       --export-custom-routes
             

3. Add a route in your on-premise network.
   1. Destination range: Add the reserved IP range.
   2. Next hop: Add the VPN tunnel.

3. Use the Cloud SQL Proxy or one of the other connection methods to connect to the Cloud SQL instance.

What's next

• Learn more about private IP.
• Learn more about private services access.
• See how to use VPC Service Controls to add a service perimeter.
• Learn more about configuring private services access.
• Learn more about configuring private services access for Cloud SQL.
• Learn more about Cloud VPN.
• Learn more about VPC networks.
• Learn more about VPC peering.
• Learn more about Shared VPC.