How to port forward/proxy Cloud SQL connection to access from the internet?

Question

Is there a way to proxy/ port forward GCP Cloud SQL so that we can connect to it via the internet?

I don't want to do an SSH port forward via a Virtual Machine. Instead, I'm looking for a way such that we could connect to CloudSQL from a public IP of either a Virtual Machine or a Kubernetes service.

I don't want to connect directly from the public IP of the CloudSQL instance as it requires us to whitelist the user's IP address. We have also tried the Cloud SQL proxy but faced speed and performance issues.

Hence, now I'm looking for a solution to proxy the CloudSQL connection from a VM or Kubernetes service

I have tried using Stunnel to proxy the connection as described in this documentation .

output=/tmp/stunnel.log
CAfile=/tmp/mysql-server-ca.pem
client=yes
pid=/var/run/stunnel.pid
verifyChain=yes
sslVersion=TLSv1.2
[mysqls]
accept=0.0.0.0:3307
connect=private-ip:3306

But, I get an error while connecting to the MySQL server: ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104

Edit:

1. Stunnel runs on a Virtual Machine on Google Cloud
2. Stunnel connects to CloudSQL via Private IP (Both VM and CloudSQL share the same subnet)
3. MySQL can be connected from the VM using the private IP

Stunnel Logs:

2022.09.22 10:53:17 LOG5[2]: Service [mysqls] accepted connection from 127.0.0.1:37014
2022.09.22 10:53:17 LOG5[2]: s_connect: connected <mysql-private-ip>:3306
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] connected remote server from 10.128.0.53:53302
2022.09.22 10:53:17 LOG3[2]: SSL_connect: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022.09.22 10:53:17 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Answer 1

To access a Cloud SQL from a Compute Engine VM try the following, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address

• From the client machine or Compute Engine VM instance, use What's my IP to see the IP address of the client machine.
• Copy that IP address. In the Google Cloud console, go to the Cloud SQL Instances page.
• Go to Cloud SQL Instances
• To open the Overview page of an instance, click the instance name. Select Connections from the SQL navigation menu.
• In the Authorized networks section, click Add network and enter the IP address of the machine where the client is installed. Note: The IP address of the instance and the MySQL client IP address you authorize must be the same IP version: either IPv4 or IPv6
• Click Done. Then click Save at the bottom of the page to save your changes. Connect to your instance, either with SSL or without SSL.

To access a Cloud SQL instance from an application running in Google Kubernetes Engine , you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address. To connect to Cloud SQL you must have:

• A GKE cluster, with the kubectl command-line tool installed and configured to communicate with the cluster. For help getting started with GKE, see the Quickstart .
• Check the document for steps on how to configure without SSL
• For Public IP-configured instances, a public-facing IPv4 address may be enabled, allowing users outside the GCP project and VPC network to connect to the instance.

Check the similar example here.