This page describes how to connect to your Cloud SQL instance across transitively peered VPCs.
Cloud SQL offers the following ways to connect your Cloud SQL instance to multiple VPCs using private IP:
- Connect using custom route advertisements
- Connect using an intermediate proxy (SOCKS5)
- Connect using Proxy as a service
To learn more about your Cloud SQL instance and multiple VPCs, see Cloud SQL instance across multiple VPCs.
Connect using custom route advertisements
You can use Cloud Router to manually advertise routes between two networks that go through an intermediate VPC to connect multiple VPCs to your Cloud SQL instance. The two VPCs must be connected using a virtual private network (VPN), Cloud Interconnect , or any other Cloud Router supported network.
With custom route advertisements, your Cloud SQL VPC, VPC C, is connected to your main VPC, VPC A, using an intermediate VPC, VPC B. You can configure shared routes between these networks in the following ways:
You can use Cloud Router to manually advertise routes between two networks that go through an intermediate VPC. For more information on how to configure Cloud Router to manually advertise routes, see Transit network.
You can create two HA VPC gateways that connect to each other to bridge the two different VPCs and configure Cloud Router to share routes between them. For more information on how to set up HA VPC gateways, see Create HA VPC gateways to connect VPC networks.
We recommend using custom route advertisements to connect multiple VPCs to your Cloud SQL instance using Cloud Router.
Connect using an intermediate proxy (SOCKS5)
You can set up an intermediate proxy, such as SOCKS5 proxy, on an intermediate VPC along with the Cloud SQL Auth Proxy in your main VPC between the client and your Cloud SQL instance. This enables the intermediate node to forward encrypted traffic from the Cloud SQL Auth Proxy to the Cloud SQL instance.
To use an intermediate proxy to connect to multiple VPCs, follow these steps:
- Install and configure a SOCKS5 server on your intermediate VM. An example of a SOCKS5 server is Dante.
- Configure the SOCKS5 server using any port to bind to your VM's
ens4network interface for both external and internal connections.
- Configure your VPC's firewall to allow TCP traffic from the appropriate IP address or range to the SOCKS server's configured port.
- Install the Cloud SQL Auth Proxy on your external client.
Run the Cloud SQL Auth Proxy on your external client with the
ALL_PROXYenvironment variable set to the intermediary VM's IP address and port set to the one used by the SOCKS server.
ALL_PROXY=socks5://$IP_ADDRESS:$PORT cloud-sql-proxy $INSTANCE_CONNECTION_NAME
To run this command, replace the following variables:
INSTANCE_CONNECTION_NAME: your Cloud SQL instance name in
IP_ADDRESS: your connection IP address. If you're connecting from a peered VPC, use the intermediary VM's internal IP address. Otherwise, use its external IP address.
PORT: the port used by your connection.
For example, the following code configures the Cloud SQL Auth Proxy to connect to the instance using a SOCKS server running on the IP address
198.51.100.1and on port
ALL_PROXY=socks5://198.51.100.1:1080 cloud-sql-proxy $INSTANCE_CONNECTION_NAME
The performance of a SOCKS5 proxy is dependent on the available CPU and memory. For larger setups or where more applications will be using the proxy, you may need to deploy more instances of the SOCKS5 proxy.
Connect using the Cloud SQL Auth Proxy as a service
You can install and run the Cloud SQL Auth Proxy on your intermediate VPC instead of your external client and enable secure connections by pairing it with a protocol-aware proxy, also known as a connection pooler. Examples of connection poolers include PGbouncer, or Pgpool-II(PostgreSQL only).
This connection method allows your applications to securely connect directly to the pooler using a configured SSL. The pooler passes databases queries to your Cloud SQL instance using the Cloud SQL Auth Proxy.