About connection options

This page provides an overview of the ways in which you can connect to your Cloud SQL instance and describes the available authentication and authorization options.

Overview

When considering how to connect to your Cloud SQL instance, there are many choices to keep in mind, including:

  • Do you want your Cloud SQL instance to be accessible from the internet, or kept private within a Virtual Private Cloud (VPC) network, or make it both publicly and privately accessible?
  • Are you planning to write your own connection code, or connect using publicly available tools such as the Cloud SQL Auth proxy or a sqlcmd client?
  • Do you want to require encryption through SSL/TLS or allow unencrypted traffic?

In the following sections, we discuss the options Cloud SQL provides for connecting, authorizing, and authenticating to your database.

  • How to connect - which network path you use to reach your instance:
    • An internal, VPC-only (Private) IP address.
    • An external, internet-accessible (Public) IP address.
  • How to authorize - which connections are authorized and allowed to connect to your Cloud SQL instance:
    • Cloud SQL Auth proxy and Cloud SQL connector libraries for Java and Python - these provide access based on IAM.
    • Self-managed SSL/TLS certificates - these only allow connections based on specific public keys.
    • Authorized networks - a list of IP addresses allowed to connect.
  • How to authenticate - the method to login to your database.
    • Built-in database authentication - log in with a username/password set in the database engine.

Use the information that follows to decide which connection, authorization, and authentication options work best for you.

Before you start

Granting access to an application does not automatically enable a database user account to connect to the instance. Before you can connect to an instance, you must have a database user account you can connect with. For new instances, this means you must have configured the default user account. Learn more.

Connection options

Database connections consume resources on the server and the connecting application. Always use good connection management practices to minimize your application's footprint and reduce the likelihood of exceeding Cloud SQL connection limits. For more information, see Managing database connections.

Public and private IP

In Cloud SQL, public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC). Cloud SQL instances can have both a public and a private IP address.

Private IP

A private IP is an IPv4 address that's accessible on a Virtual Private Cloud (VPC).

You can use this address to connect from other resources with access to the VPC. Connections over private IP typically provide lower latency and limited attack vectors because they don't require traversing the internet. Optionally, you can require that all connections use either the Cloud SQL proxy or self-managed SSL certificates.

Configuring your instance with a private IP is preferred when connecting from a client on a resource with access to a VPC. For more information about what resources can use private IP, see Requirements for Private IP.

For private IP paths, the following services and applications connect directly to your instance through Serverless VPC Access:

  • App Engine standard environment
  • App Engine flexible environment
  • Cloud Functions
  • Cloud Run

Learn more about using private IP with Cloud SQL

For instructions on adding a private IP to your instance, see Configuring Private IP Connectivity.

Public IP

A public IP is an IPv4 address that's available externally on the public internet. This address can receive connections from devices both inside and outside of Google's network, including from locations like your home or office.

To help keep your instance secure, any connections to a Cloud SQL instance using a public IP must be authorized using either the Cloud SQL Auth proxy or authorized networks.

Configuring your instance with a public IP is best when connecting from a client that doesn't meet the requirements for a VPC.

For instructions about adding a public IP to your instance, see Configuring Public IP Connectivity.

For information about connecting a sqlcmd client to a Cloud SQL instance using public IP, see Connecting using a database client.

Authorization options

Cloud SQL Auth proxy

The Cloud SQL Auth proxy lets you authorize and secure your connections by using Identity and Access Management (IAM) permissions. The Cloud SQL Auth proxy validates connections using credentials for a user or service account and wrapping the connection in a SSL/TLS layer that's authorized for a Cloud SQL instance. For more details about how the Cloud SQL Auth proxy works, see About the Cloud SQL Auth proxy.

Using the Cloud SQL Auth proxy is the recommended method for authenticating connections to a Cloud SQL instance because it's the most secure method.

The Cloud SQL Auth proxy is an open source library distributed as an executable binary. The Cloud SQL Auth proxy acts as an intermediary server that listens for incoming connections, wraps them in SSL/TLS, and then passes them to a Cloud SQL instance.

Some environments provide a mechanism that connects using the Cloud SQL Auth proxy. For instructions about connecting using these environments, see one of the following:

Cloud SQL connector libraries for Java and Python

Cloud SQL offers client libraries that provide encryption and IAM-based authorization when connecting to a Cloud SQL instance by using Java and Python connectors.

You can use these libraries directly from the language environment. They provide the same authentication as the Cloud SQL Auth proxy without requiring an external process. To get started, see Connecting using the Cloud SQL Connectors.

Self-managed SSL/TLS certificates

Instead of using the Cloud SQL Auth proxy to encrypt your connections, it's possible to set up client/server SSL/TLS certificates that are specific to a Cloud SQL instance. These certificates are used to both validate the client and server to each other and encrypt connections between them.

It's strongly recommended to use self-managed SSL/TLS certificates to provide encryption when not using the Cloud SQL Auth proxy. Failing to do so means your data is being transmitted insecurely and might be intercepted or inspected by a third party.

To get started with self-managed SSL/TLS certificates, see Authorizing with SSL/TLS certificates.

Authorized networks

Unless using the Cloud SQL Auth proxy, connections to the public IP address of an instance are allowed only if the connection comes from an authorized network. Authorized networks are IP addresses or ranges that the user has specified as having permission to connect.

To get started with authorized networks, see Authorizing with Authorized Networks.

Authentication options

Authentication provides access control by verifying the identity of a user. For end users, authentication is achieved when the user enters credentials (a username and password). For applications, authentication is achieved when a user's credentials are assigned to a service account.

Cloud SQL uses the database's built-in authentication that authenticates using a username and password. For more information, see creating and managing SQL Server users.

Tools for connecting

The following table contains some options for connecting to Cloud SQL:

Connection option More information
Cloud SQL Auth proxy
gcloud
Cloud SQL language connectors
Cloud Shell
Connect using third-party database administration tools
SQL Server Management Studio
SMSS Object Explorer
Visual Studio

Code samples

You can connect to the Cloud SQL Auth proxy from any language that enables you to connect to a TCP socket. Below are some code snippets from complete examples on GitHub to help you understand how they work together in your application.

Connecting with TCP

Cloud SQL Auth proxy invocation statement:

./cloud_sql_proxy -instances=INSTANCE_CONNECTION_NAME=tcp:1433 &

Python

To see this snippet in the context of a web application, view the README on GitHub.

cloud-sql/sql-server/sqlalchemy/connect_tcp.py 
import os

import sqlalchemy


# connect_tcp_socket initializes a TCP connection pool
# for a Cloud SQL instance of SQL Server.
def connect_tcp_socket() -> sqlalchemy.engine.base.Engine:
    # Note: Saving credentials in environment variables is convenient, but not
    # secure - consider a more secure solution such as
    # Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
    # keep secrets safe.
    db_host = os.environ["INSTANCE_HOST"]  # e.g. '127.0.0.1' ('172.17.0.1' if deployed to GAE Flex)
    db_user = os.environ["DB_USER"]  # e.g. 'my-db-user'
    db_pass = os.environ["DB_PASS"]  # e.g. 'my-db-password'
    db_name = os.environ["DB_NAME"]  # e.g. 'my-database'
    db_port = os.environ["DB_PORT"]  # e.g. 1433

    driver_name = "mssql+pytds"
    query = {
        "driver": "ODBC Driver 17 for SQL Server"
    }
    pool = sqlalchemy.create_engine(
        # Equivalent URL:
        # <driver_name>://<db_user>:<db_pass>@<db_host>:<db_port>/<db_name>?driver=ODBC+Driver+17+for+SQL+Server
        sqlalchemy.engine.url.URL.create(
            drivername=driver_name,
            username=db_user,
            password=db_pass,
            database=db_name,
            host=db_host,
            port=db_port,
            query=query,
        ),
        # ...
    )

    return pool

Java

To see this snippet in the context of a web application, view the README on GitHub.

Note:

  • CLOUD_SQL_CONNECTION_NAME should be represented as <MY-PROJECT>:<INSTANCE-REGION>:<INSTANCE-NAME>
  • Using the argument ipTypes=PRIVATE will force the SocketFactory to connect with an instance's associated private IP
  • See the JDBC socket factory version requirements for the pom.xml file here .

cloud-sql/sqlserver/servlet/src/main/java/com/example/cloudsql/TcpConnectionPoolFactory.java 

import com.zaxxer.hikari.HikariConfig;
import com.zaxxer.hikari.HikariDataSource;
import javax.sql.DataSource;

public class TcpConnectionPoolFactory extends ConnectionPoolFactory {

  // Note: Saving credentials in environment variables is convenient, but not
  // secure - consider a more secure solution such as
  // Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
  // keep secrets safe.
  private static final String DB_USER = System.getenv("DB_USER");
  private static final String DB_PASS = System.getenv("DB_PASS");
  private static final String DB_NAME = System.getenv("DB_NAME");

  private static final String INSTANCE_HOST = System.getenv("INSTANCE_HOST");
  private static final String DB_PORT = System.getenv("DB_PORT");


  public static DataSource createConnectionPool() {
    // The configuration object specifies behaviors for the connection pool.
    HikariConfig config = new HikariConfig();

    // Configure which instance and what database user to connect with.
    config.setJdbcUrl(
        String.format("jdbc:sqlserver://%s:%s;databaseName=%s", INSTANCE_HOST, DB_PORT, DB_NAME));
    config.setUsername(DB_USER); // e.g. "root", "sqlserver"
    config.setPassword(DB_PASS); // e.g. "my-password"


    // ... Specify additional connection properties here.
    // ...

    // Initialize the connection pool using the configuration object.
    return new HikariDataSource(config);
  }
}

Node.js

To see this snippet in the context of a web application, view the README on GitHub.

cloud-sql/sqlserver/mssql/connect-tcp.js 
const mssql = require('mssql');

// createTcpPool initializes a TCP connection pool for a Cloud SQL
// instance of SQL Server.
const createTcpPool = async config => {
  // Note: Saving credentials in environment variables is convenient, but not
  // secure - consider a more secure solution such as
  // Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
  // keep secrets safe.
  const dbConfig = {
    server: process.env.INSTANCE_HOST, // e.g. '127.0.0.1'
    port: parseInt(process.env.DB_PORT), // e.g. 1433
    user: process.env.DB_USER, // e.g. 'my-db-user'
    password: process.env.DB_PASS, // e.g. 'my-db-password'
    database: process.env.DB_NAME, // e.g. 'my-database'
    options: {
      trustServerCertificate: true,
    },
    // ... Specify additional properties here.
    ...config,
  };
  return await mssql.connect(dbConfig);
};

Go

To see this snippet in the context of a web application, view the README on GitHub.

cloudsql/sqlserver/database-sql/connect_tcp.go 
package cloudsql

import (
	"database/sql"
	"fmt"
	"log"
	"os"
	"strings"

	_ "github.com/denisenkom/go-mssqldb"
)

// connectTCPSocket initializes a TCP connection pool for a Cloud SQL
// instance of SQL Server.
func connectTCPSocket() (*sql.DB, error) {
	mustGetenv := func(k string) string {
		v := os.Getenv(k)
		if v == "" {
			log.Fatalf("Warning: %s environment variable not set.", k)
		}
		return v
	}
	// Note: Saving credentials in environment variables is convenient, but not
	// secure - consider a more secure solution such as
	// Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
	// keep secrets safe.
	var (
		dbUser    = mustGetenv("DB_USER")       // e.g. 'my-db-user'
		dbPwd     = mustGetenv("DB_PASS")       // e.g. 'my-db-password'
		dbTCPHost = mustGetenv("INSTANCE_HOST") // e.g. '127.0.0.1' ('172.17.0.1' if deployed to GAE Flex)
		dbPort    = mustGetenv("DB_PORT")       // e.g. '1433'
		dbName    = mustGetenv("DB_NAME")       // e.g. 'my-database'
	)

	dbURI := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%s;database=%s;",
		dbTCPHost, dbUser, dbPwd, dbPort, dbName)


	// dbPool is the pool of database connections.
	dbPool, err := sql.Open("sqlserver", dbURI)
	if err != nil {
		return nil, fmt.Errorf("sql.Open: %v", err)
	}

	// ...

	return dbPool, nil
}

C#

To see this snippet in the context of a web application, view the README on GitHub.

cloud-sql/sql-server/ConnectTcp.cs 
using Microsoft.Data.SqlClient;
using System;

namespace CloudSql
{
    public class SqlServerTcp
    {
        public static SqlConnectionStringBuilder NewSqlServerTCPConnectionString()
        {
            // Equivalent connection string:
            // "User Id=<DB_USER>;Password=<DB_PASS>;Server=<INSTANCE_HOST>;Database=<DB_NAME>;"
            var connectionString = new SqlConnectionStringBuilder()
            {
                // Note: Saving credentials in environment variables is convenient, but not
                // secure - consider a more secure solution such as
                // Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
                // keep secrets safe.
                DataSource = Environment.GetEnvironmentVariable("INSTANCE_HOST"), // e.g. '127.0.0.1'
                // Set Host to 'cloudsql' when deploying to App Engine Flexible environment
                UserID = Environment.GetEnvironmentVariable("DB_USER"),         // e.g. 'my-db-user'
                Password = Environment.GetEnvironmentVariable("DB_PASS"),       // e.g. 'my-db-password'
                InitialCatalog = Environment.GetEnvironmentVariable("DB_NAME"), // e.g. 'my-database'

                // The Cloud SQL proxy provides encryption between the proxy and instance
                Encrypt = false,
            };
            connectionString.Pooling = true;
            // Specify additional properties here.
            return connectionString;
        }
    }
}

Ruby

To see this snippet in the context of a web application, view the README on GitHub.

cloud-sql/sqlserver/activerecord/config/database_tcp.yml 
tcp: &tcp
  adapter: sqlserver
  # Configure additional properties here.
  # Note: Saving credentials in environment variables is convenient, but not
  # secure - consider a more secure solution such as
  # Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
  # keep secrets safe.
  username: <%= ENV["DB_USER"] %>  # e.g. "my-database-user"
  password: <%= ENV["DB_PASS"] %> # e.g. "my-database-password"
  database: <%= ENV.fetch("DB_NAME") { "vote_development" } %>
  host: <%= ENV.fetch("INSTANCE_HOST") { "127.0.0.1" }%> # '172.17.0.1' if deployed to GAE Flex
  port: <%= ENV.fetch("DB_PORT") { 1433 }%>

PHP

To see this snippet in the context of a web application, view the README on GitHub.

cloud_sql/sqlserver/pdo/src/DatabaseTcp.php 
namespace Google\Cloud\Samples\CloudSQL\SQLServer;

use PDO;
use PDOException;
use RuntimeException;
use TypeError;

class DatabaseTcp
{
    public static function initTcpDatabaseConnection(): PDO
    {
        try {
            // Note: Saving credentials in environment variables is convenient, but not
            // secure - consider a more secure solution such as
            // Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
            // keep secrets safe.
            $username = getenv('DB_USER'); // e.g. 'your_db_user'
            $password = getenv('DB_PASS'); // e.g. 'your_db_password'
            $dbName = getenv('DB_NAME'); // e.g. 'your_db_name'
            $instanceHost = getenv('INSTANCE_HOST'); // e.g. '127.0.0.1' ('172.17.0.1' for GAE Flex)

            // Connect using TCP
            $dsn = sprintf(
                'sqlsrv:server=%s;Database=%s',
                $instanceHost,
                $dbName
            );

            // Connect to the database
            $conn = new PDO(
                $dsn,
                $username,
                $password,
                # ...
            );
        } catch (TypeError $e) {
            throw new RuntimeException(
                sprintf(
                    'Invalid or missing configuration! Make sure you have set ' .
                        '$username, $password, $dbName, and $instanceHost (for TCP mode). ' .
                        'The PHP error was %s',
                    $e->getMessage()
                ),
                $e->getCode(),
                $e
            );
        } catch (PDOException $e) {
            throw new RuntimeException(
                sprintf(
                    'Could not connect to the Cloud SQL Database. Check that ' .
                        'your username and password are correct, that the Cloud SQL ' .
                        'proxy is running, and that the database exists and is ready ' .
                        'for use. For more assistance, refer to %s. The PDO error was %s',
                    'https://cloud.google.com/sql/docs/sqlserver/connect-external-app',
                    $e->getMessage()
                ),
                (int) $e->getCode(),
                $e
            );
        }

        return $conn;
    }
}

Troubleshoot

If you're having problems connecting, check the following pages for help debugging or finding solutions to known issues:

What's next