将静态 IP 云函数连接到 Cloud SQL

Question

There are several good answers available for both of these scenarios - but not combined.

1. I need to make a call to an external API via whitelisted static IP.
See: Associating Cloud Function egress with a static IP address
a) call the external API from the Cloud Function
b) route all egress from this Cloud Function through a VPC Connector on vpcnetwork-1 (IP address range = 10.8.10.0/28)
c) use a Cloud NAT that routes all traffic on vpcnetwork-1 through [STATIC IP] (whitelisted by external API)

2. Next, I need to take that API data and send it to a Cloud SQL instance (MySQL in this case).
See: Connecting to Cloud SQL from Cloud Functions
a) create a UNIX socketpath connection to [Cloud SQL Instance]

When I run with the VPC Connector (as shown above), I get:
1) SUCCESS! I've received the API data using my whitelisted IP address
2) CONNECTION REFUSED by [Cloud SQL Instance] - because I'm using a static external IP? Does socketpath use external, or connect within my Google Cloud Project?

If I remove the VPC Connector from my Cloud Function, then I get:
1) CONNECTION REFUSED - this IP is not whitelisted (because I'm no longer using the static IP)
2) SUCCESS! I'm now able to connect to [Cloud SQL Instance] (using UNIX socketpath, userid, password)

How can I get both of these to work from the same Cloud Function?

I see that I can "Route only requests to private IPs through the VPC connector" but I really want the opposite of that. I want to only route external requests to the VPC connector, to use my static IP, and then keep my private routing for connections within my GCP.

ADDED: I am using Javascript mysql to connect to Cloud SQL.

var pool = mysql.createPool({ socketPath: '/cloudsql/[instance_connection_name]',
                              user: uid,
                              password: pwd,
                              database: 'mysql_db' });
var result = pool.query(sql, {}, (err,result)=> {});

This works ok without using a VPC Connector. When I use a VPC Connector with a static external IP address, this connection is refused. Is it because the VPC Connector and Cloud SQL instance are not on the same VPC? I don't think Cloud SQL is linked to a VPC, is it?

Answer 1

The Cloud SQL Instance Overview dashboard lists both [Public IP Address] and [Instance Connection Name]

For a standard Cloud Functions connection, I use:

socketpath:[Instance Connection Name]
user: uid
password: pwd
database: 'mysql_db'

When using a VPC Connector, I use

host:[Private (or Public) IP Address]
user: uid
password: pwd
database: 'mysql_db'

Summary:

[Cloud Function] -> socketpath:[Instance Connection Name] => **SUCCESS**
[Cloud Function] -> host:[Public IP Address] => **FAIL** (Timeout - IP Not Allowed)

Private VPC Connections:
[Cloud Function] -> [VPC Connector] -> socketpath:[Instance Connection Name] => **FAIL** (Connection Refused)
[Cloud Function] -> [VPC Connector] -> host:[Private IP Address] => **SUCCESS** (Set up Private IP in GCP->SQL->Connections)

Public VPC Connection:
[Cloud Function] -> [VPC Connector] -> host:[Public IP Address] => **SUCCESS** (Only after allowing/whitelisting IP of the VPC Connector routed through Cloud NAT)

Google Cloud CLI instructions for Private IP setup:
CONNECTING FROM GOOGLE CLOUD FUNCTIONS TO CLOUD SQL USING TCP AND UNIX DOMAIN SOCKETS 2020