Configuring private IP connectivity

MySQL | PostgreSQL

This page describes how to configure a PostgreSQL instance to use private IP. For information about how private IP works, including environment and management requirements, see Private IP.

Before you begin

Before configuring a Cloud SQL instance to use private IP, you must have the following items in place:

A VPC network at least one subnet in the same region as your Cloud SQL instances.

The GCP resources you will use to connect to your Cloud SQL instance must also be the same region as your Cloud SQL instance, and use a subnet of the VPC network in that region as well. These resources could be Compute Engine instances (VMs) or Google Kubernetes Engine instances.

Note: Your Cloud SQL instances are not created in your VPC network. They are created in the producer network (a VPC network internal to Google).
The Service Networking API enabled for your project.

The Service Networking API is used to establish private services access.

Restrictions on IP address ranges for private IP

The IP range 172.17.0.0/16 is reserved for docker bridge network. Any Cloud SQL instances created with an IP in that range will be unreachable. Connections from any IP within that range to Cloud SQL instances using private IP will fail.

Configuring an instance to use private IP at creation time

You can configure a Cloud SQL instance to use private IP when you create the instance. After you create the instance, you cannot remove private IP capability from the instance.

In the Creation wizard, under Configuration Options, expand the Set Connectivity section.
Select the Private IP checkbox.

A drop down list is displayed listing the available networks. If your project has a host project (using Shared VPC), the network can be in either your project or its host project.
Select the network where the resources you want to connect from are located.
If you previously established a private connection between this network and the Cloud SQL service, you are done; proceed with choosing instance settings and creating the instance.
If no allocated IP range exists for this network:
1. To let Cloud SQL allocate the range for you and create the private connection, click Allocate and connect. You are done; proceed with choosing instance settings and creating the instance.
2. Otherwise, allocate an IP range manually and return to this task.
If one or more allocated IP ranges exist for your network, and you haven’t yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Proceed with choosing instance settings and creating the instance.

Configuring an existing instance to use private IP

You can configure an existing Cloud SQL instance to use private IP. After you configure an instance to use private IP, you cannot remove private IP capability from that instance.

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

Go to the Cloud SQL Instances page in the Google Cloud Platform Console.
Go to the Cloud SQL Instances page
Click the instance name to open its Overview page.
Select the Connections tab.
Select the Private IP checkbox.

A drop down list is displayed listing the available networks. If your project has a host project (using Shared VPC), the network can be in either your project or its host project.
Select the network where the resources you want to connect from are located.
If you previously established a private connection between this network and the Cloud SQL service, you are done; proceed with choosing instance settings and creating the instance.
If no allocated IP range exists for this network:
1. To let Cloud SQL allocate the range for you and create the private connection, click Allocate and connect. You are done; proceed with choosing instance settings and creating the instance.
2. Otherwise, allocate an IP range manually and return to this task.
If one or more allocated IP ranges exist for your network, and you haven’t yet selected the range you want to use to connect to the Cloud SQL service, select the range and click Connect. Proceed with choosing instance settings and creating the instance.

Configuring private services access for Cloud SQL without creating an instance

If you want to configure private services access for Cloud SQL without creating a Cloud SQL instance, see Configuring Private Services Access.

What's next

Learn more about private IP.
Learn more about private services access.
See how to allocate an IP range for private services access.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated May 3, 2019.