Confusion Around Creating a VPC Access Connector

Question

I am trying to set up Serverless VPC access

Serverless VPC Access enables you to connect from your Cloud Functions directly to Compute Engine VM instances, Memorystore instances, Cloud SQL instances,

Sounds great. But the documentation is not super friendly to a beginner. Step 2 is to create a connector, about which I have a couple of questions:

In the Network field, select the VPC.network to connect to.

My dropdown here contains only "Default". Is this normal? What should IO expect to see here?

In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC.network.

I don't know what to do here. I tried using the information in the linked document to first) enter an IP from the region I had selected, and, second) enter an IP from outside that region. Both resulted in connectors that were created with the error. " Connector is in a bad state, manual deletion is recommended "

The documentation continues with a couple of troubleshooting steps if the creation fails:

Specify an IP range that does not overlap with any existing IP address reservations in the VPC.network.

I don't know what this means. Maybe like, if I have other connectors I should be sure the IP range for the new one doesn't overlap with those. That's just a guess, but anyway I have none.

Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.

This leads me to another document about updating my organization's "Image Policy". This one has me so out of my depth, I don't even think I should be here.

This has all started with just wanting to connect to a SQL Server instance from Firebase . Creating the VPC connector seems like a good step, but I've just fallen at every hurdle. Can a cloud-dweller please help me with a few of these points of confusion?

Answer 1

I think you've resolved the issue but I will write an answer to summarize all the steps for future reference.

1. Create a Serverless VPC Access

I think the best reference is to follow the steps in this doc . In step 7 , it says the following:

In the IP range field, enter an unreserved CIDR /28 IP range.

The IP you can use is for example 10.8.0.0/28 or even 10.64.0.0/28 with the condition it is not in use for any other network. You can check which IPs are in use going to VPC Network > VPC networks . In the Network field you will have the "default" option so it's okay.

This can take some minutes, so in the meantime you can create your SQL Server/MySQL/PostgreSQL instance.

2. Creating a CloudSQL instance

Create your desired instance ( MySQL / PostgreSQL / SQL Server ). In your case it will be a SQL Server instance. Also check these steps to configure the Private IP for your instance at creation time or if you have created an instance you can check this . Take note of the Private IP as you will use it later.

3. Create a Cloud function

Before creating your Cloud Function, you have to grant permission to the CF service account to use the VPC. Please follow these steps .

Then follow these steps to configure the connector of your function to use the VPC. In step 5 it says the following:

In the VPC connector field, enter the fully-qualified name of your connector in the following format:

 projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME

It is not necessary to add your VPC with this format. There is already a list where you can choose your VPC. Finally deploy your function.

I wrote a little function to test the connection. I would prefer to use Python but it needs more system dependencies than NodeJS.

index.js :

var express = require('express');
var app = express();
var sql = require("mssql");

exports.helloWorld = (req, res) => {
    var config = {
        user: 'sqlserver',
        password: 'password',
        server: 'Your.SQL.Priavte.IP', 
        database: 'dbname' 
    };

    // connect to your database
    sql.connect(config, function (err) {
        if (err) console.log(err);

        // create Request object
        var request = new sql.Request();
           
        // query to the database and get the records
        request.query('select * from a_table', function (err, recordset) {
            if (err) console.log(err)

            // send records as a response
            res.send(recordset);
        });
    });
};

package.json :

{
  "name": "sample-http",
  "version": "0.0.1",
  "dependencies": {
    "express": "4.17.1",
    "mssql": "6.0.1"
  }
}

And that's all! :D

It's important to mention that this procedure is more about connecting Cloud Functions to SQL Server as there is already an easier way to connect CF to PostgreSQL and MySQL.

Answer 2

I discovered that there exists a hard limit on how many IP you can use for such connectors. You can increase quota or you can switch to other region.