2

Based on my current understanding, when I enable a service connection to my Cloud SQL instance in one of my revisions, the path /cloudsql/[instance name]/.s.PGSQL.5432 becomes populated. This is a UNIX socket connection.

Unfortunately, a 3rd party application I'm using doesn't support UNIX socket connections and as such I'm required to connect via TCP.

Does the Google Cloud SQL Proxy also configure any way I can connect to Cloud SQL via something like localhost:5432, or other equivalent? Some of the documentation I'm reading suggests that I have to do elaborate networking configuration with private IPs just to enable TCP based Cloud SQL for my Cloud Run revisions, but I feel like the Cloud Proxy is already capable of giving me a TCP connection instead of a UNIX socket.

What is the right and most minimal way forward here, obviously assuming I do not have the ability to modify the code I'm running.

I've also cross posted this question to the Google Cloud SQL Proxy repo.

Improve this question
3
  • AFAIK your PostgreSQL client software can directly talk to Cloud SQL public IP whitelisted addresses and bypass the Cloud SQL Auth Proxy. The security risk is the SQL instance will be open to the Internet. Cloud Run does not have a static IP address. You can configure Cloud Run VPC egress thru your VPC network with Cloud NAT to provide a fixed IP address for whitelisting. Another method is to use a Serverless VPC Access connector to Cloud SQL private IP. cloud.google.com/sql/docs/postgres/connect-run#private-ip Commented Apr 25, 2021 at 0:19
  • Yeah, so I'm aware of these instructions, but I find them very confusing in terms of what exactly is necessary and what's being done. There are lots of pieces that seem to need setup, but no real explanation as to what each is doing or what the overall topology is. Is there anywhere that explains it better than their documentation? Commented Apr 25, 2021 at 2:51
  • 1
    The simplest and probably the best solution is the improve the client to support Cloud Run. Otherwise, you will need to invest time to learn the more advanced configuration features of Google Cloud. Sometimes, there are no shortcuts. Commented Apr 25, 2021 at 17:14

1 Answer 1

Reset to default
4

The most secure and easiest way is to use the private IP. It's not so long and so hard, you have 3 steps

  1. Create a serverless VPC connector. Create it in the same region as your Cloud Run service. Note the VPC Network that you use (by default it's "default")
  2. Add the serverless VPC Connector to Cloud Run service. Route only the private IPs through this connector
  3. Add a private connection to your Cloud SQL database. Attached it in the same VPC Network as your serverless VPC Connector.

The Cloud configuration is over. Now you have to get the Cloud SQL private IP of your instance and to add it in parameters of your Cloud Run service to open a connection to this IP.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

How do I know which IP to use to connect to postgres? Also, do I need to still set up a CloudSQL Connection in my Cloud Run revisions?
You will see the private IP in the overview page of Cloud SQL after setting the private IP. And NO, you don't need to add the Cloud SQL connection in Cloud Run. It's useless, you will use direct IP connection, not through the UNIX socket
Hmm, I don't appear to be able to connect to the private IP that Cloud SQL is showing me. Is there any better way to inspect my environment or troubleshoot? It's very difficult to gain awareness of the topology around my Cloud Run environment and how my choices impact it. Also, how do I know what CIDR ranges to configure? It isn't quite so simple as the docs make it seem.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.