Not able to connect using private IP via cloud sql proxy in Google Cloud Shell -

Question

I try to ran https://github.com/terraform-google-modules/terraform-google-sql-db/tree/v4.5.0/examples/mysql-private

It creates sql instance with both privateIP and publicIP. Thats good. But when i try to connect to mysql it says this,

command from gcloud:

./cloud_sql_proxy -credential_file=mysql-service-account.json -instances=sample:example-mysql-private-fd7795e5=tcp:3306 -ip_address_types=PRIVATE &

mysql -u default -p -h 127.0.0.1 --port=3306 default

Issue - why does it connects to port 3307? how to resolve this.

couldn't connect to "sample:example-mysql-private-fd7795e5": dial tcp 10.127.0.4:3307: connect: connection timed out.

Does the private VPC network has to have any changes for connecting this?

But without Private IP , it does connect and works because its going via PublicIP but why private IP still failed to connect?

Command that works:

./cloud_sql_proxy -credential_file=mysql-service-account.json -instances=sample:example-mysql-private-fd7795e5=tcp:3306 &

mysql -u default -p -h 127.0.0.1 --port=3306 default

This is my VPC config from main.tf:

# ------------------------------------------------------------------------------
# CREATE A RANDOM SUFFIX AND PREPARE RESOURCE NAMES
# ------------------------------------------------------------------------------

resource "random_id" "name" {
  byte_length = 2
}

locals {
  # If name_override is specified, use that - otherwise use the name_prefix with a random string
  instance_name        = var.name_override == null ? format("%s-%s", var.name_prefix, random_id.name.hex) : var.name_override
  private_network_name = "private-network-${random_id.name.hex}"
  private_ip_name      = "private-ip-${random_id.name.hex}"
}

# ------------------------------------------------------------------------------
# CREATE COMPUTE NETWORKS
# ------------------------------------------------------------------------------

# Simple network, auto-creates subnetworks
resource "google_compute_network" "private_network" {
  provider = google-beta
  name     = local.private_network_name
}

# Reserve global internal address range for the peering
resource "google_compute_global_address" "private_ip_address" {
  provider      = google-beta
  name          = local.private_ip_name
  purpose       = "VPC_PEERING"
  address_type  = "INTERNAL"
  prefix_length = 16
  network       = google_compute_network.private_network.self_link
}

# Establish VPC network peering connection using the reserved address range
resource "google_service_networking_connection" "private_vpc_connection" {
  provider                = google-beta
  network                 = google_compute_network.private_network.self_link
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
}

Please help.

score 2 · Answer 1 · answered Mar 03 '21 at 19:34

2

Cloud Shell isn't in your VPC. So you can't access to your database through the private IP. You need to create a VM in your VPC (a Bastion VM) to use the private IP and to open a tunnel to this VM. I wrote an article on this

answered Mar 03 '21 at 19:34

guillaume blaquiere

66,369
2
47
76

Hi @guillaume blaquiere thanks for the clarification, it does create a private-network-d95b under VPC networks with 0 - Firewall Rules. When i create Compute Engine > create instance > networking select private-network-d95b > its not SSH into the VM. Why is that behavior? – Satscreate Mar 04 '21 at 05:32
Do you have a public IP on your VM? What's the firewall rule that you have open on your VPC network? – guillaume blaquiere Mar 04 '21 at 07:47
Hi @guillaume blaquiere i dont see any firewall rules in the private-network-d95b... have attached my main.tf vpc config. should i need to add any firewall rules there? i do have public IP for the VM yes. looks like some firewall rules need to enabled for VPC> private-network-d95b. Could you help me how to add one in main.tf file? – Satscreate Mar 04 '21 at 08:15
You need to open the port 22 for your IP or to open the IAP port range `35.235.240.0/20` on the port 22 to be able to reach the VM in SSH – guillaume blaquiere Mar 04 '21 at 08:30
Hi @guillaume blaquiere how do i do that from the terraform scripts. should i need to add any firewall for the networking? so that rules get added to vpc network and then VM on the same network can work with SSH? – Satscreate Mar 04 '21 at 08:46
Are you looking for [this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall)? Else, I didn't understand your latest comment. You also need to have plugged your Cloud SQL instance in the same VPC as the new one. – guillaume blaquiere Mar 04 '21 at 10:37
I think yes.. once i added this google_compute_firewall under the # CREATE COMPUTE NETWORKS entry it able to create a VPC with firewall rules added. and i could select this network for Bastion VM and able to successfully SSH into this. and at this moment i can actually connect to sql instance via Bastion VM using cloud proxy. One more quick question, to access from kubernets cluster same VPC is principle is applicable is it to connect to privateIP SQL server? – Satscreate Mar 04 '21 at 11:29
Yes, with GKE you have your node pool in your VPC. From there, you can access to the private IP of your Cloud SQL database. – guillaume blaquiere Mar 04 '21 at 12:57

Not able to connect using private IP via cloud sql proxy in Google Cloud Shell -

1 Answers1