Configuring private IP

MySQL | PostgreSQL | SQL Server

This page describes how to configure a Cloud SQL instance to use private IP.

For information about how private IP works, as well as environment and management requirements, see Private IP.

Before you begin

API and IAM requirements

You must enable the Service Networking API for your project.

If you are using a Shared VPC network, you also need to enable this API for the host project.

In order to manage a private services access connection, the user should have the following IAM permissions. If you don't have the required permissions you can get insufficient-permissions errors.
- compute.networks.list
- compute.addresses.create
- compute.addresses.list
- servicenetworking.services.addPeering
If you are using a Shared VPC network, you also need to add your user to the host project and assign the same permissions to the user on the host project.

Private services access

When you create a new VPC network in your project, you need to configure private services access to allocate an IP address range and create a private service connection. This allows resources in the VPC network to connect to Cloud SQL instances. The console provides a wizard to help you set up this configuration.

Assigning different VPC networks to Cloud SQL for PostgreSQL instances with private IP addresses provides better isolation than attaching all of them to the default VPC network.

The IP range 172.17.0.0/16 is reserved for the Docker bridge network. Any Cloud SQL instances created with an IP in that range will be unreachable. Connections from any IP within that range to Cloud SQL instances using private IP will fail.

Configuring an instance to use private IP

You can configure a Cloud SQL instance to use private IP when you create the instance, or for an existing instance.

Configuring private IP for a new instance

To configure a Cloud SQL instance to use private IP when creating an instance:

Console

In the Google Cloud Console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click Create instance.
In the Creation wizard, in the Configuration Options section, expand the Connectivity section.
Select the Private IP checkbox.
A drop-down list shows the available VPC networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.
Select the VPC network you want to use:

If you see Private service connection required:

Click Set up connection.
In the Allocate an IP range section, choose one of the following options:
- Select one or more existing IP ranges or create a new one from the dropdown. The dropdown includes previously allocated ranges, if there are any, or you can select Allocate a new IP range and enter a new range and name.
- Use an automatically allocated IP range in your network.
Click Continue.
Click Create connection.
Verify that you see the Private service connection for network VPN_NAME has been successfully created status.

Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Create your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network, and the --no-assign-ip flag to disable public IP. The --network parameter value is in the format projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME. The PROJECT_ID is the project ID of the VPC network. If the VPC network is a Shared VPC, it should be the id of the Shared VPC host project.

gcloud beta sql instances create INSTANCE_ID \
--project=PROJECT_ID \
--network=VPC_NETWORK_NAME \
--no-assign-ip

Configuring private IP for an existing instance

Configuring an existing Cloud SQL instance to use private IP causes the instance to restart, resulting in downtime.

To configure an existing instance to use private IP:

Console

In the Google Cloud Console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the instance name to open its Overview page.
Select Connections from the SQL navigation menu.
Select the Private IP checkbox.
A drop-down list shows the available networks in your project.
Select the VPC network you want to use:

If you see Private service connection required:

Click Set up connection.
In the Allocate an IP range section, choose one of the following options:
- Select one or more existing IP ranges or create a new one from the dropdown. The dropdown includes previously allocated ranges, if there are any, or you can select Allocate a new IP range and enter a new range and name.
- Use an automatically allocated IP range in your network.
Click Continue.
Click Create connection.
Verify that you see the Private service connection for network VPN_NAME has been successfully created status.

Click Save.

gcloud

If you have not previously done so, follow the instructions below to configure private services access for Cloud SQL. Update your Cloud SQL instance, using the --network parameter to specify the name of your chosen VPC network.

VPC_NETWORK_NAME is the name of your chosen VPC network, for example: my-vpc-network. The --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

gcloud beta sql instances patch INSTANCE_ID \
--project=PROJECT_ID \
--network=VPC_NETWORK_NAME \
--no-assign-ip

Connecting to an instance using its Private IP

You use private services access to connect to Cloud SQL instances from Compute Engine or Google Kubernetes Engine instances in the same VPC network (defined here as internal sources) or from outside of that network (an external source).

Connecting from an internal source

To connect from a source in the same Google Cloud project as your Cloud SQL instance, such as the Cloud SQL Auth proxy running on a Compute Engine resource, that resource must be in the same VPC network as the Cloud SQL instance.

To connect from a serverless source, such as App Engine standard environment, Cloud Run, or Cloud Functions, your application or function connects directly to your instance through Serverless VPC Access without the Cloud SQL Auth proxy.

Connecting from an external source

You can connect from a client in an external network (on-premises network or VPC network) if the external network is connected to the VPC network to which your Cloud SQL instance is connected. To permit connections from an external network, do the following:

Ensure your VPC network is connected to the external network using a Cloud VPN tunnel or a VLAN attachment for Dedicated Interconnect or Partner Interconnect.
Ensure the BGP sessions on the Cloud Routers managing your Cloud VPN tunnels and Cloud Interconnect attachments (VLANs) have received specific prefixes (destinations) from your on-premises network. Default routes (destination 0.0.0.0/0) cannot be imported into the Cloud SQL VPC network because that network has its own local default route. Local routes for a destination are always used, even though the Cloud SQL peering is configured to import custom routes from your VPC network.
Identify the peering connections produced by the private services connection. Depending on the service, the private services connection might create one or more of the following peering connections, but not necessarily all of them:
- cloudsql-mysql-googleapis-com
- cloudsql-postgres-googleapis-com
- servicenetworking-googleapis-com
Update all of the peering connections to enable Export custom routes.
Identify the allocated range used by the private services connection.
Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

Connecting from Cloud Shell

Cloud Shell doesn't currently support connecting to a Cloud SQL instance that has only a private IP address.

Connecting from non-RFC 1918 addresses

RFC 1918 specifies IP addresses that are assigned to be used internally (that is, within an organization) and will not route on the Internet. Specifically, these are:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Connections to a Cloud SQL instance using a private IP address are automatically authorized for RFC 1918 address ranges. This way, all private clients can access the database without going through the proxy.

Non-RFC 1918 address ranges (addresses not within the RFC 1918 address space) must be configured as authorized networks.

To connect from a non-RFC 1918 address, you must set per-instance IP authorization to allow traffic from non-RFC 1918 address ranges.

For example, use a gcloud command like the following:

gcloud sql instances patch INSTANCE_NAME \
--authorized-networks=192.88.99.0/24,11.0.0.0/24

Cloud SQL doesn't learn Non-RFC 1918 subnet routes from your VPC by default. You need to update the network peering to Cloud SQL to export any Non-RFC 1918 routes.

gcloud compute networks peerings update cloudsql-postgres-googleapis-com 

--network=NETWORK 

--export-subnet-routes-with-public-ip 

--project=PROJECT_ID

cloudsql-postgres-googleapis-com is a Private Service Connection name from your VPC Network page.
Select your network, then look for the Private Service Connection section.
NETWORK is the name of your VPC network.
PROJECT_ID is the ID of the project of the VPC network. Use the host project ID if you're using Shared VPC.

Troubleshooting

Issue Troubleshooting

Issue	Troubleshooting
`Aborted connection`.	The issue might be: Networking instability. No response to TCP keep-alive commands (either the client or the server isn't responsive, possibly overloaded) The database engine connection lifetime was exceeded and the server ends the connection. Applications must tolerate network failures and follow best practices such as connection pooling and retrying. Most connection poolers catch these errors where possible. Otherwise the application must either retry or fail gracefully. For connection retry, we recommend the following methods: Exponential backoff. Increase the time interval between each retry, exponentially. Add randomized backoff also. Combining these methods helps reduce throttling.
`FATAL: database 'user' does not exist`.	`gcloud sql connect --user` only works with the default `postgres` user. Connect with the default user, then change users.
You want to find out who is connected.	Log into the database and run this command: SELECT datname, usename, application_name as appname, client_addr, state, now() - backend_start as conn_age, now() - state_change as last_activity_age FROM pg_stat_activity WHERE backend_type = 'client backend' ORDER BY 6 DESC LIMIT 20

Aborted connection.

The issue might be:

Networking instability.
No response to TCP keep-alive commands (either the client or the server isn't responsive, possibly overloaded)
The database engine connection lifetime was exceeded and the server ends the connection.

Applications must tolerate network failures and follow best practices such as connection pooling and retrying. Most connection poolers catch these errors where possible. Otherwise the application must either retry or fail gracefully.

For connection retry, we recommend the following methods:

Exponential backoff. Increase the time interval between each retry, exponentially.
Add randomized backoff also.

Combining these methods helps reduce throttling.

FATAL: database 'user' does not exist.

gcloud sql connect --user only works with the default postgres user.

Connect with the default user, then change users.

You want to find out who is connected.

Log into the database and run this command:

SELECT datname,
usename,
application_name as appname,
client_addr,
state,
now() - backend_start as conn_age,
now() - state_change as last_activity_age
FROM pg_stat_activity
WHERE backend_type = 'client backend'
ORDER BY 6 DESC
LIMIT 20

What's next

Learn more about private IP.
Learn more about private services access.
See how to use VPC Service Controls to add a service perimeter.
Learn more about configuring private services access.
Learn more about configuring private services access for Cloud SQL.
Learn more about Cloud VPN.
Learn more about VPC networks.
Learn more about VPC peering.
Learn more about Shared VPC.