如何使用 Auth Proxy 和 Python 连接到 AlloyDB？

Question

I am trying to connect to the AlloyDB in google cloud via alloydb-auth-proxy. I am not able to connect to it successfully. I am getting error while trying to do this.

I followed the instruction mentioned inhttps://cloud.google.com/alloydb/docs/auth-proxy/connect#python and https://github.com/GoogleCloudPlatform/alloydb-auth-proxy#example-invocations

I am using FastAPI in the backend and using sqlalchemy.

SQLALCHEMY_DATABASE_URL = "postgresql+psycopg2://<user>:<password>@\
localhost/postgres"

engine = create_engine(SQLALCHEMY_DATABASE_URL)

SesionLocal = sessionmaker(bind=engine, autocommit=False, autoflush=True)

I start the auth proxy using the credentials

alloydb-auth-proxy "projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>" --credentials-file "key.json"

I am leaving the address and port as default ie address to 127.0.0.1 and port 5432 .

The proxy starts

[projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>] Listening on 127.0.0.1:5432
The proxy has started successfully and is ready for new connections!

But when I run the app it's getting me an error in console-

sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) connection to server at "localhost" (::1), port 5432 failed: Connection refused (0x0000274D/10061)
        Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 5432 failed: server closed the connection unexpectedly    
        This probably means the server terminated abnormally
        before or while processing the request.

and in proxy cmd

[projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>] failed to connect to instance: Dial error: failed to dial (instance URI = "<project-id>/<region-id>/
<database-id>/<instance-id>"): dial tcp xx.xx.xx.x:5433: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

What's happening here?

Answer 1

AlloyDB currently only has the option to connect to it by Private IP. This means that your local machine will be unable to reach the cluster regardless of your connectivity methods (auth proxy, Python connector, direct connection, etc).

To connect you either need to be connecting from within the same network (VPC) as the AlloyDB cluster, or you'll need to set up something like a bastion instance which has a public entry point that shares the network with the AlloyDB cluster.

To test this, easiest way is to spin up the smallest GCE instance you can on the same VPC as the AlloyDB cluster. Then SSH into that instance, and use the psql client to confirm you can connect to the AlloyDB instance. Once you confirm that, for development you either need to push your application to that GCE instance to be able to connect, or set up some connectivity between you and the GCE instance.

There are a few ways to do that, I'd recommend locking down the GCE instance as hard as you can and reverse SSH tunnel to the instance from your local machine. Or set up a VPN (Cloud VPN is an option, but fairly expensive, so running your own VPN service on the GCE instance is an option, just more overhead and maintenance). You can also set up something like a Socks5 proxy on the bastion instance to do forwarding from there to your AlloyDB cluster and that would also work.