0

GCP recommends Cloud SQL Proxy over Private IP connectivity https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#before_you_begin. If applications doesn't want to leverage Cloud SQL Proxy but choosing Private IP connectivity, there are no recommendations or documentation or process to make Private IP connectivity secure or build necessary authentication.

What should applications do addition to Private IP connectivity to make it equivalent of Cloud SQL Proxy?

Prakhyat
  • 989
  • 8
  • 17

1 Answers1

0

The solution is not natively supported by Cloud Run. For this, you have to run Cloud SQL proxy by your own in your container.

I don't know your language, but I performed a test in Go. Here how to achieve that

Now you can reach your database through the private IP, things that you can find in the official documentation here

To enforce the cloud sql proxy in private mode, I did this

  • Here my dockerfile (standard from Cloud Run documentation, I just customized the latest lines)
# Use the official Golang image to create a build artifact.
# This is based on Debian and sets the GOPATH to /go.
# https://hub.docker.com/_/golang
FROM golang:1.13 as builder

# Create and change to the app directory.
WORKDIR /app

# Retrieve application dependencies using go modules.
# Allows container builds to reuse downloaded dependencies.
COPY go.* ./
RUN go mod download

# Copy local code to the container image.
COPY . ./

# Build the binary.
# -mod=readonly ensures immutable go.mod and go.sum in container builds.
RUN CGO_ENABLED=0 GOOS=linux go build -mod=readonly -v -o server

# Use the official Alpine image for a lean production container.
# https://hub.docker.com/_/alpine
# https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
#FROM google/cloud-sdk
#
FROM alpine:3
RUN apk add --no-cache ca-certificates
RUN wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O /cloud_sql_proxy && chmod +x /cloud_sql_proxy
# Copy the binary to the production image from the builder stage.
COPY --from=builder /app/server /server
COPY --from=builder /app/start.sh /start.sh
#RUN chmod +x /start.sh

# Run the web service on container startup.
CMD ["/start.sh"]
  • As you can see, I download the Cloud sql proxy binary and I call a start.sh file. Here the content
#!/bin/sh

/cloud_sql_proxy -ip_address_types=PRIVATE --dir=/cloudsql -instances=gbl-imt-homerider-basguillaueb:us-central1:vertx=unix:socket &
/bin/sleep 1
/server

In this file, I start the Cloud SQL proxy in background, wait 1 second (the cloud SQL init time) and start my Go /server. I create an unix socket in /cloudsql/socket. Thanks to this, you have exactly the same type of connection than with the Cloud Run embedded Cloud SQL connector.

You can also start the cloud sql proxy in tcp mode.

Note: the Cloud SQL proxy documentation on GCP isn't up to date. prefer the --help for more details in the cloud sql proxy configuration

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • @guilaume Thanks. My concern is different, I dont want to use Cloud SQL Proxy Sidecar. Want to connect Cloud SQL with private IP. GCP mentions Cloud SQL Proxy is recommended approach and is more secure and has more authentication features. Wanted to check how to build this capabilities but still using Private IP. – Prakhyat Jul 24 '20 at 11:03
  • So, stop just after my 2 first bullet points. Then, use the private IP of your database as host value in your code and that's all – guillaume blaquiere Jul 24 '20 at 11:49
  • @guillaumeblaquiere, I have the same scenario where I have PrivateIP. I am very new to GCP and golang and trying to do a simple test using the https://cloud.google.com/sql/docs/sqlserver/connect-functions#go. I am running into Unable to open tcp connection with host '127.0.0.1:3306': dial tcp 127.0.0.1:3306: connect: connection refused. Could you share a working golang code snippet? Do I need to follow 2 steps you mentioned above before running the function? – peacefulmember Jul 22 '21 at 15:54
  • I have changed the host value from local to the private IP. db.Ping itself timeout. Connection string is "server=172.10.11.3;user id=sqlserver;password=mypwd;port=1433;database=mydatabase" – peacefulmember Jul 22 '21 at 16:12
  • Resolved. Anyone having same issue - I just followed 2 steps mentioned by @guillaumeblaquiere to create VPC Connector and configured Cloud Function -https://cloud.google.com/functions/docs/networking/connecting-vpc#configuring. In function used PrivateIP as host and 1433 as port. – peacefulmember Jul 22 '21 at 17:26
  • Next question is how can I have the same function run from local machine using function framework to connect to CloudSQLMPrivateIP? Any insight is appreciated. – peacefulmember Jul 22 '21 at 17:28
  • Do you want to connect your private Cloud SQL instance to your workstation, where run locally your function, right? – guillaume blaquiere Jul 22 '21 at 18:42
  • @guillaumeblaquiere - yes, so I can write/test function to connect to CloudSQL - SQL Server with PrivateIP from local workstation, instead of writing in console OR uploading the source every time and test the function. – peacefulmember Jul 22 '21 at 22:05
  • Because it's private, it's difficult.... I wrote an article on that: https://medium.com/google-cloud/cloud-sql-with-private-ip-only-the-good-the-bad-and-the-ugly-de4ac23ce98a – guillaume blaquiere Jul 23 '21 at 08:56