Cannot connect to Cloud SQL from Cloud Run after enabling private IP and turning off public iP

Question

I have a postgreSQL CLoud SQL instance which I am connecting to via UNIX socket and the instance name from a Cloud Run container as per the documentation. With a public IP, this connection works fine. I was looking to turn off the public IP and only have a private IP, so I would not be charged for the public IP going forward.

When I first created the Cloud SQL instance, I only enabled the public IP. A couple of days later I enabled the private IP. For the assocaited network for the private IP, I accepted the default as the Cloud Run instance is in the same project.

When I turn off the public IP, my application can no longer connect to the Cloud SQL instance. I get a connection refused error:

sqlalchemy.exc.InterfaceError: (pg8000.core.InterfaceError) ('communication error', ConnectionRefusedError(111, 'Connection refused'))

As stated above, I did follow the instruaction on the Connecting to Cloud SQL from Cloud Run page:

https://cloud.google.com/sql/docs/postgres/connect-run

I even ran the gcloud command to update an the exsiting deployed revision after turning off the public IP and only having the private IP available but it made no difference.

Is a public IP required for a connection from Cloud Run to Cloud SQL? I do not see that in the connection documentation page. Or is there something else I missed when trying to switch over to only having a private IP? Or do I need to create a new Cloud Instance without a public IP and go through the instructions for connecting Cloud Run via an instance anme again?

Answer 1

Is a public IP required for a connection from Cloud Run to Cloud SQL? I do not see that in the connection documentation page.

On the Connecting to Cloud SQL from Cloud Run page , it says "Note: These instructions require your Cloud SQL instance to have a public IP address configured."

Private IP access is access from a Virtual Private Cloud (VPC) . In order to access your instance through a VPC, the resource you are connecting to needs to be a part of the VPC. Cloud Run doesn't currently support VPC access, so you'll need to use have a public IP for now.

Answer 2

TL;DR : Open a case to the Google support

Your case is interesting because, by design, I think it's not yet supported.

In fact, when you create a Cloud SQL database with a private IP, a network peering is done between your VPC and the Cloud SQL VPC (or something equivalent) .

In addition, today, it's not possible to plug your Cloud Run instance to your VPC. With function and App Engine, you have a serverless VPC connector , and not yet with Cloud Run (it's coming!).

The serverless VPC connector perform the same things as the Cloud SQL private IP, I mean a peering between your VPC and the Cloud Functions (or App Engine) VPC (or something equivalent).

And even if the serverless VPC connector is available on Cloud Run, it's not sure that it work because of network peering transitivity . In short, If you have a peering between VPC A -> VPC B and between VPC B -> VPC C, you can't reach VPC C from VPC A by performing an hop in VPC B. Replace A by VPC Cloud Run, B by VPC of your project, and C by VPC Cloud SQL.

Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not directly connected, VPC network N2 cannot communicate with VPC network N3 over VPC Network Peering.

I didn't check with AppEngine or Cloud Function, but this design shouldn't work.

But I'm not sure, that's why a case to the Google support will allow you to have a clear answer and maybe inputs on the roadmap. Any valuable information from Google Support are welcomed here!