Configuring private IP connectivity

This page describes how to configure a PostgreSQL instance to use private IP. For information about how private IP works, including environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must have the following items in place:

  • A VPC network at least one subnet in the same region as your Cloud SQL instances.

    The GCP resources you will use to connect to your Cloud SQL instance must also be the same region as your Cloud SQL instance, and use a subnet of the VPC network in that region as well. These resources could be Compute Engine instances (VMs) or Google Kubernetes Engine instances.

  • The Service Networking API enabled for your project.

    The Service Networking API is used to establish private services access.

Restrictions on IP address ranges for private IP

The IP range 172.17.0.0/16 is reserved for docker bridge network. Any Cloud SQL instances created with an IP in that range will be unreachable. Connections from any IP within that range to Cloud SQL instances using private IP will fail.

Configuring an instance to use private IP at creation time

You can configure a Cloud SQL instance to use private IP when you create the instance. After you create the instance, you cannot remove private IP capability from the instance.

To configure a new instance to use private IP:

Console

  1. In the Creation wizard, under Configuration Options, expand the Set Connectivity section.
  2. Select the Private IP checkbox.

    A drop down list is displayed listing the available networks. If your project has a host project (using Shared VPC, the network can be in either your project or its host project.

  3. Select the network where the resources you want to connect from are located.
  4. If you previously established a private connection between this network and the Cloud SQL service, you are done; proceed with choosing instance settings and creating the instance.
  5. If no allocated IP range exists for this network:
    1. To let Cloud SQL allocate the range for you and create the private connection, click Allocate and connect. You are done; proceed with choosing instance settings and creating the instance.
    2. Otherwise, allocate an IP range manually and return to this task.
  6. If one or more allocated IP ranges exist for your network, and you haven't yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Proceed with choosing instance settings and creating the instance.

gcloud

  1. Use the instructions in Configuring private services access to create your private connection.
  2. Create your Cloud SQL instance, using the --network parameter to specify the name of the VPC network you used for the private connection, and the --no-assign-ip flag to indicate that you are disabling public IP. 
    gcloud --project=[PROJECT_ID] beta sql instances [INSTANCE-ID]
       --network=[VPC_NETWORK]
       --no-assign-ip
    VPC_NETWORK is the name of the VPC network set up in Step 1.

Configuring an existing instance to use private IP

You can configure an existing Cloud SQL instance to use private IP. After you configure an instance to use private IP, you cannot remove private IP capability from that instance.

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Overview page.
  3. Select the Connections tab.
  4. Select the Private IP checkbox.

    A drop down list is displayed listing the available networks. If your project has a host project (using Shared VPC, the network can be in either your project or its host project.

  5. Select the network where the resources you want to connect from are located.
  6. If you previously established a private connection between this network and the Cloud SQL service, you are done; proceed with choosing instance settings and creating the instance.
  7. If no allocated IP range exists for this network:
    1. To let Cloud SQL allocate the range for you and create the private connection, click Allocate and connect. You are done; proceed with choosing instance settings and creating the instance.
    2. Otherwise, allocate an IP range manually and return to this task.
  8. If one or more allocated IP ranges exist for your network, and you haven't yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Proceed with choosing instance settings and creating the instance.

gcloud

  1. Use the instructions in Configuring private services access to create your private connection.
  2. Update your Cloud SQL instance, using the --network parameter to specify the name of the VPC network you used for the private connection. 
    gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE-ID]
       --network=[VPC_NETWORK]
       --no-assign-ip
    VPC_NETWORK is the name of the VPC network set up in Step 1.

Configuring private services access for Cloud SQL without creating an instance

If you want to configure private services access for Cloud SQL without creating a Cloud SQL instance, see Configuring Private Services Access.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
Cloud SQL for PostgreSQL
Product feedback