0

Is there a way to proxy/ port forward GCP Cloud SQL so that we can connect to it via the internet?

I don't want to do an SSH port forward via a Virtual Machine. Instead, I'm looking for a way such that we could connect to CloudSQL from a public IP of either a Virtual Machine or a Kubernetes service.

I don't want to connect directly from the public IP of the CloudSQL instance as it requires us to whitelist the user's IP address. We have also tried the Cloud SQL proxy but faced speed and performance issues.

Hence, now I'm looking for a solution to proxy the CloudSQL connection from a VM or Kubernetes service

I have tried using Stunnel to proxy the connection as described in this documentation.

output=/tmp/stunnel.log
CAfile=/tmp/mysql-server-ca.pem
client=yes
pid=/var/run/stunnel.pid
verifyChain=yes
sslVersion=TLSv1.2
[mysqls]
accept=0.0.0.0:3307
connect=private-ip:3306

But, I get an error while connecting to the MySQL server: ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104

Edit:

  1. Stunnel runs on a Virtual Machine on Google Cloud
  2. Stunnel connects to CloudSQL via Private IP (Both VM and CloudSQL share the same subnet)
  3. MySQL can be connected from the VM using the private IP

Stunnel Logs:

2022.09.22 10:53:17 LOG5[2]: Service [mysqls] accepted connection from 127.0.0.1:37014
2022.09.22 10:53:17 LOG5[2]: s_connect: connected <mysql-private-ip>:3306
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] connected remote server from 10.128.0.53:53302
2022.09.22 10:53:17 LOG3[2]: SSL_connect: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022.09.22 10:53:17 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Kavya
  • 105
  • 1
  • 15
  • 1) What are you running `stunnel` on? 2) What is the IP address that `stunnel` is using to connect to Cloud SQL? That address must be an RFC1918 address if you do not want to use whitelisting (authorized networks). 3) Can you connect to Cloud SQL's private IP using a MySQL client from the machine that `stunnel` is running on? 4) Edit your question with those details. – John Hanley Sep 22 '22 at 01:52
  • Updated the details – Kavya Sep 22 '22 at 06:20
  • The update helps remove some possible problems such as network setup. The error `Lost connection to MySQL server at 'reading initial communication packet'` indicates that stunnel is connecting to the wrong system (IP address) or the connection protocol is wrong. Do you have client SSL certificates enabled? The system that stunnel connected to did not respond as the MySQL client expected. Enable stunnel logging. What is the output? – John Hanley Sep 22 '22 at 07:14
  • We have not enforced the "Allow only SSL connections" constraint on the Cloud SQL database. Would that affect stunnel? – Kavya Sep 22 '22 at 08:09
  • the stunnel logs indicate that you are connecting with the wrong protocol. stunnel is connecting with SSL enabled and Cloud SQL does not have SSL enabled for that connection. The TLS protocol exchange failed. – John Hanley Sep 22 '22 at 11:10
  • You should also check the documents for detailed information on this https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine and https://cloud.google.com/sql/docs/mysql/configure-ip#add – Vaidehi Jamankar Sep 22 '22 at 13:01
  • @JohnHanley, If I enable the SSL, it would affect the other resources using MySQL as well. So, is there a way I could I still connect using stunnel? or is there any other way I could connect to MySQL via the VM's external IP? Thanks – Kavya Sep 22 '22 at 13:12

1 Answers1

1

To access a Cloud SQL from a Compute Engine VM try the following, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address

  • From the client machine or Compute Engine VM instance, use What's my IP to see the IP address of the client machine.
  • Copy that IP address. In the Google Cloud console, go to the Cloud SQL Instances page.
  • Go to Cloud SQL Instances
  • To open the Overview page of an instance, click the instance name. Select Connections from the SQL navigation menu.
  • In the Authorized networks section, click Add network and enter the IP address of the machine where the client is installed. Note: The IP address of the instance and the MySQL client IP address you authorize must be the same IP version: either IPv4 or IPv6
  • Click Done. Then click Save at the bottom of the page to save your changes. Connect to your instance, either with SSL or without SSL.

To access a Cloud SQL instance from an application running in Google Kubernetes Engine, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address. To connect to Cloud SQL you must have:

  • A GKE cluster, with the kubectl command-line tool installed and configured to communicate with the cluster. For help getting started with GKE, see the Quickstart.
  • Check the document for steps on how to configure without SSL
  • For Public IP-configured instances, a public-facing IPv4 address may be enabled, allowing users outside the GCP project and VPC network to connect to the instance.

Check the similar example here.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Vaidehi Jamankar
  • 1,232
  • 1
  • 2
  • 10
  • I have gone through all the documentation for CloudSQL. I am looking for an alternate solution to port forward the MySQL connection from a VM. I don't want to use a cloud sql auth proxy or whitelist IP addresses. – Kavya Sep 27 '22 at 16:54