Making GCP Cloud SQL With Private IP Connectivity Equivalent of Cloud SQL Proxy

Question

GCP recommends Cloud SQL Proxy over Private IP connectivity https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#before_you_begin . If applications doesn't want to leverage Cloud SQL Proxy but choosing Private IP connectivity, there are no recommendations or documentation or process to make Private IP connectivity secure or build necessary authentication.

What should applications do addition to Private IP connectivity to make it equivalent of Cloud SQL Proxy?

Answer 1

The solution is not natively supported by Cloud Run. For this, you have to run Cloud SQL proxy by your own in your container.

I don't know your language, but I performed a test in Go. Here how to achieve that

• Create a serverless VPC Connector
• add the serverless VPC Connector to your Cloud Run service

Now you can reach your database through the private IP, things that you can find in the official documentation here

To enforce the cloud sql proxy in private mode, I did this

• Here my dockerfile (standard from Cloud Run documentation, I just customized the latest lines)

# Use the official Golang image to create a build artifact.
# This is based on Debian and sets the GOPATH to /go.
# https://hub.docker.com/_/golang
FROM golang:1.13 as builder

# Create and change to the app directory.
WORKDIR /app

# Retrieve application dependencies using go modules.
# Allows container builds to reuse downloaded dependencies.
COPY go.* ./
RUN go mod download

# Copy local code to the container image.
COPY . ./

# Build the binary.
# -mod=readonly ensures immutable go.mod and go.sum in container builds.
RUN CGO_ENABLED=0 GOOS=linux go build -mod=readonly -v -o server

# Use the official Alpine image for a lean production container.
# https://hub.docker.com/_/alpine
# https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
#FROM google/cloud-sdk
#
FROM alpine:3
RUN apk add --no-cache ca-certificates
RUN wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O /cloud_sql_proxy && chmod +x /cloud_sql_proxy
# Copy the binary to the production image from the builder stage.
COPY --from=builder /app/server /server
COPY --from=builder /app/start.sh /start.sh
#RUN chmod +x /start.sh

# Run the web service on container startup.
CMD ["/start.sh"]

• As you can see, I download the Cloud sql proxy binary and I call a start.sh file. Here the content

#!/bin/sh

/cloud_sql_proxy -ip_address_types=PRIVATE --dir=/cloudsql -instances=gbl-imt-homerider-basguillaueb:us-central1:vertx=unix:socket &
/bin/sleep 1
/server

In this file, I start the Cloud SQL proxy in background, wait 1 second (the cloud SQL init time) and start my Go /server . I create an unix socket in /cloudsql/socket . Thanks to this, you have exactly the same type of connection than with the Cloud Run embedded Cloud SQL connector.

You can also start the cloud sql proxy in tcp mode.

Note: the Cloud SQL proxy documentation on GCP isn't up to date. prefer the --help for more details in the cloud sql proxy configuration