Cloud SQL Language Connectors overview

This page summarizes the Cloud SQL Language Connectors and how to use them with your instances.

Cloud SQL Language Connectors are libraries that provide encryption and IAM authorization when connecting to a Cloud SQL instance. Cloud SQL Language Connectors create authorized connections to the proxy-side server on behalf of a user's application and pass that connection to the application's database driver. They don't provide a network path to a Cloud SQL instance if one is not already present.

Cloud SQL Language Connectors use a client-side component to connect to a proxy server on the Cloud SQL instance. The connector creates a temporary certificate that authorizes the holder to connect to the server-side proxy. The server-side proxy limits access to the Cloud SQL database by requiring a valid TLS certificate in order to connect.

Cloud SQL supports the following Cloud SQL Language Connectors:

Cloud SQL recommends using Cloud SQL Language Connectors to connect to your Cloud SQL instance. You can also connect to a Cloud SQL instance using a database client or the Cloud SQL Auth Proxy. For more information about connecting to a Cloud SQL instance, see About connection options.

Requirements

If your Cloud SQL instance uses shared certificate authority (CA) as its serverCaMode (Preview), then on the client side, make sure that the Cloud SQL Language Connectors you're using meet their version requirements:

Benefits of Cloud SQL Language Connectors

Cloud SQL Language Connectors provide the following benefits with connecting to a Cloud SQL instance:

  • IAM authorization: Uses identity and access management (IAM) permissions to control who or what can connect to your Cloud SQL instances.
  • Convenience: Removes the requirement to manage SSL certificates, configure firewall rules, or enable authorized networks.

Enforce the use of Cloud SQL Language Connectors

By using connector enforcement, you can enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to Cloud SQL instances. With connector enforcement, Cloud SQL rejects direct connections to the database.

If you're using a Private Service Connect-enabled instance, then there's a limitation. If the instance has connector enforcement enabled, then you can't create read replicas for the instance. Similarly, if the instance has read replicas, then you can't enable connector enforcement for the instance.

For more information about how to enforce using only the Cloud SQL Auth Proxy or Cloud SQL Language Connectors to connect to an instance, see Connect using Cloud SQL Language Connectors.

What's next