Connect to Cloud SQL for MySQL from App Engine standard environment

MySQL  |  PostgreSQL  |  SQL Server

Learn how to deploy a sample app onApp Engine standard environmentconnected to a MySQL instance by using the Google Cloud console and a clientapplication.

Assuming that you complete all the steps in a timely manner, the resourcescreated in this quickstart typically cost less than one dollar (USD).

Before you begin

Note:The name you use for your project must be between 4 and 30 characters. When youtype the name, the form suggests a project ID, which you can edit. Theproject ID must be between 6 and 30 characters, with a lowercase letteras the first character. You can use a dash, lowercase letter, or digit for theremaining characters, but the last character cannot be a dash.
  1. Enable the Cloud APIs necessary to run a Cloud SQL sample app on App Engine standard environment.

    Console

    Click the button below to enable the APIs required for this quickstart.

    Enable APIs

    This enables the following APIs:

    • Cloud SQL Admin API
    • Compute Engine API
    • Cloud Build API
    • Cloud Logging API

    gcloud

    Click the following button to open Cloud Shell, which provides command-line access to your Google Cloud resources directly from the browser. Cloud Shell can be used to run thegcloud commands presented throughout this quickstart.

    Open Cloud Shell

    Run the followinggcloud command using Cloud Shell:

    gcloudservicesenablesqladmin.googleapis.comcompute.googleapis.com\cloudbuild.googleapis.comlogging.googleapis.com

    This command enables the following APIs:

    • Cloud SQL Admin API
    • Compute Engine API
    • Cloud Build API
    • Cloud Logging API

Set up Cloud SQL

Create a Cloud SQL instance

Public IP

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. ClickCreate instance.
  3. ClickChoose MySQL.
  4. Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
  5. In theInstance ID field, enterquickstart-instance.
  6. In thePassword field, enter a password for the root user. Save this password for future use.
  7. In theChoose region and zonal availability section, selectSingle zone.
  8. Click theShow configuration options menu.
  9. Expand theMachine configuration node.
  10. From theMachine shapes region, select the4 vCPU, 32 GB shape.
  11. ClickCreate instance and then wait until the instance initializes and starts.

gcloud

Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

  • --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
  • --cpu: The number of cores desired in the machine.
  • --memory: Whole number value indicating how much memory is desired in the machine. A size unit should be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
  • --region: Regional location of the instance (for example asia-east1, us-east1). If left unspecified, the defaultus-central is used.

Run thegcloud sql instances create command to create a Cloud SQL instance.

gcloudsqlinstancescreatequickstart-instance\--database-version=MYSQL_8_0\--cpu=1\--memory=4GB\--region=us-central1\--root-password=DB_ROOT_PASSWORD

Private IP

Console

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Select thedefault VPC network.
  3. Select thePrivate service connection tab.
  4. Select theAllocated IP ranges for services tab.
  5. ClickAllocate IP range.
  6. For theName of the allocated range, specifygoogle-managed-services-default.
  7. Select theAutomatic option for IP range and specify the prefix length as16.
  8. ClickAllocate to create the allocated range.
  9. Select thePrivate connections to services tab for thedefault VPC network.
  10. ClickCreate connection to create a private connection between your network and a service producer.
  11. For theAssigned allocation, selectgoogle-managed-services-default.
  12. ClickConnect to create the connection.

Create an instance with private IP address and SSL enabled

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. ClickCreate instance.
  3. ClickChoose MySQL.
  4. Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
  5. In theInstance ID field, enterquickstart-instance.
  6. In thePassword field, enter a password for the root user. Save this password for future use.
  7. In theChoose region and zonal availability section, selectSingle zone.
  8. Click theShow configuration options menu.
  9. Expand theMachine configuration node.
  10. From theMachine shapes region, select the4 vCPU, 32 GB shape.
  11. Expand theConnections node.
  12. Clear thePublic IP checkbox to create an instance only with a private IP address.
  13. Select thePrivate IP checkbox.
  14. From theNetwork menu, selectdefault.
  15. ClickCreate instance and then wait for the instance to initialize and start.
  16. ClickConnections.
  17. In theSecurity section, selectAllow only SSL connections to enable SSL connections.
  18. In theEnable SSL dialog, clickEnable and restart and then wait for the instance to restart.

gcloud

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

  1. Run thegcloud compute addresses create command to allocate an IP address range.

    gcloudcomputeaddressescreategoogle-managed-services-default\--global--purpose=VPC_PEERING--prefix-length=16\--description="peering range for Google"--network=default

  2. Run thegcloud services vpc-peerings connect command to create a private connection to the allocated IP address range. Replace YOUR_PROJECT_ID with your project's project ID.

    gcloudservicesvpc-peeringsconnect--service=servicenetworking.googleapis.com\--ranges=google-managed-services-default--network=default\--project=YOUR_PROJECT_ID

Create an instance with private IP address and SSL enabled

  1. Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.

    2. Optionally, modify the values for the following parameters:

    • --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
    • --cpu: The number of cores in the machine.
    • --memory: A whole number value indicating how much memory to include in the machine. A size unit can be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
    • --region: The regional location of the instance (for example asia-east1, us-east1). If left unspecified, the defaultus-central1 is used. See the full list ofregions.

    Run thegcloud sql instances create command to create a Cloud SQL instance with a Private IP address.

    gcloudsqlinstancescreatequickstart-instance\--database-version=MYSQL_8_0\--cpu=1\--memory=4GB\--region=us-central1\--root-password=DB_ROOT_PASSWORD\--no-assign-ip\--network=default

  2. Run thegcloud sql instances patch command to enableonly allow SSL connections for the instance.

    3. gcloudsqlinstancespatchquickstart-instance--require-ssl

Create a database

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Selectquickstart-instance.
  3. From the SQL navigation menu, selectDatabases.
  4. ClickCreate database.
    1. In theDatabase name field of theCreate a database dialog box, enterquickstart-db. Leave the values for the character set and collation.
    2. ClickCreate.

gcloud

Run thegcloud sql databases create command to create a database.

gcloudsqldatabasescreatequickstart-db--instance=quickstart-instance

Create a user

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. From the SQL navigation menu, selectUsers.
  4. ClickAdd user account.
  5. In theAdd a user account to instanceinstance_name page, add the following information:
    1. In theUser name field, enterquickstart-user.
    2. In thePassword field, specify a password for your database user. Make a note of this password for use in a later step of this quickstart.
  6. ClickAdd.

gcloud

Before running the following command, make the following replacements:

  1. PASSWORD with a password for your database user. Make a note of this for use in a later step of this quickstart.

Run thegcloud sql users create command to create the user.

gcloudsqluserscreatequickstart-user\--instance=quickstart-instance\--password=PASSWORD

User name length limits are the same for Cloud SQL as foron-premises MySQL; 32 characters for MySQL 8.0 and later, 16 characters forearlier versions.

Deploy a sample app to App Engine standard environment

Create the App Engine application

Create the App Engine application in your Google Cloud project. This enables the App Engine service, creates a default App Engine application and creates a App Engine service account that will be used to connect to Cloud SQL.Note: This step only needs to be performed once per Google Cloud project.

Console

  1. In the Google Cloud console, go to theApp Engine page.

    Go to App Engine

  2. Click theCreate application button.
  3. Selectus-central from theSelect a region drop-down menu.
  4. ClickNext.
  5. Click theI'll do this later link once it appears on theGet started page.

gcloud

  1. Run the followinggcloud app create command to create an App Engine application:
    2. gcloudappcreate
  2. When prompted to choose the region where you want your App Engine application located, enter the numeric choice forus-central.

Configure the App Engine service account

Configure the service account used by App Engine so that it has theCloud SQL Client role with permissions to connect to Cloud SQL.

Configure and deploy a Cloud SQL sample app

With a Cloud SQL instance, database, and service account with clientpermissions, you can now configure and deploy a sample application to connectto your Cloud SQL instance.

Public IP

For public IP paths, App Engine standard environment provides encryption and connects using the Cloud SQL Auth Proxy through Unix sockets.

Go

  1. In Cloud Shell Editor, open the sample app's source code.

    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thegolang-samples/cloudsql/mysql/database-sql/cmd/app/app.standard.yaml file.
  6. Replace the placeholders for the environment variables in theapp.standard.yaml file with the following values:
  7. At the Cloud Shell command prompt, in thegolang-samples/cloudsql/mysql/database-sql directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    8. gcloudappdeploycmd/app/app.standard.yaml
  8. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  9. When prompted withDo you want to continue?, enterY.
  10. When the deploy command completes, run thegcloud app browse command:
    11. gcloudappbrowse
  11. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    12. View deployed sample app.

Java

  1. In Cloud Shell Editor, open the sample app's source code.

    Open Cloud Shell Editor

  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thejava-docs-samples/cloud-sql/mysql/servlet/src/main/webapp/WEB-INF/appengine-web.xml file.
  6. Replace the placeholders for the environment variables in theappengine-web.xml file with the following values:
  7. At the Cloud Shell command prompt, in thejava-docs-samples/cloud-sql/mysql/servlet directory, run the followingApache Mavenmvn clean package command to deploy the sample app to App Engine standard environment.
    8. mvncleanpackageappengine:deploy-DskipTests
  8. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  9. When prompted withDo you want to continue?, enterY.
  10. When the deploy command completes, run thegcloud app browse command:
    11. gcloudappbrowse
  11. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    12. View deployed sample app.

Node.js

  1. In Cloud Shell Editor, open the sample app's source code.

    Open Cloud Shell Editor

  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thenodejs-docs-samples/cloud-sql/mysql/mysql/app.standard.yaml file.
  6. Replace the placeholders for the environment variables in theapp.standard.yaml file with the following values:
  7. At the Cloud Shell command prompt, in thenodejs-docs-samples/cloud-sql/mysql/mysql directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    8. gcloudappdeployapp.standard.yaml
  8. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  9. When prompted withDo you want to continue?, enterY.
  10. When the deploy command completes, run thegcloud app browse command:
    11. gcloudappbrowse
  11. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    12. View deployed sample app.

Python

  1. In Cloud Shell Editor, open the sample app's source code.
    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thepython-docs-samples/cloud-sql/mysql/sqlalchemy/app.standard.yaml file.
  6. Replace the placeholders for the environment variables in theapp.standard.yaml file with the following values:
  7. At the Cloud Shell command prompt, in thepython-docs-samples/cloud-sql/mysql/sqlalchemy directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    8. gcloudappdeployapp.standard.yaml
  8. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  9. When prompted withDo you want to continue?, enterY.
  10. When the deploy command completes, run thegcloud app browse command:
    11. gcloudappbrowse
  11. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    12. View deployed sample app.

Private IP

For private IP paths, your application connects directly to your instance through Serverless VPC Access. This method uses a TCP socket to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy.

Go

Create and download SSL server and client certificates

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Click thequickstart-instance to see itsOverview page
  3. Click theConnections tab.
  4. Under theSecurity section, clickCreate client certificate.
  5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

  6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

  1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

    Create Serverless VPC connector

  2. Enterquickstart-connector for theName.
  3. Selectdefault from theNetwork drop-down menu
  4. SelectCustom IP range from theSubnet drop-down menu
  5. Enter10.8.0.0 in theIP range input box
  6. ClickCreate to create the connector.

Build a sample app with SSL certificates

  1. In Cloud Shell Editor, open the sample app's source code.

    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. Upload SSL certs files to thecerts folder.
    1. From the Explorer navigation menu of Cloud Shell Editor, navigate to thegolang-samples/cloudsql/mysql/database-sql/certs folder.
    2. Right-click thecerts folder in Cloud Shell Editor and selectUpload Files.
    3. Select following files on your local machine:
      • client-key.pem
      • client-cert.pem
      • server-ca.pem
    4. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
  6. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thegolang-samples/cloudsql/mysql/database-sql/cmd/app/app.standard.yaml file.
  7. Copy and paste the following code into the file, replacing the existing file content:
    8. runtime:go116env_variables:DB_USER:quickstart-userDB_PASS:YOUR_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:3306INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector
  8. Make the following variable replacements:
  9. At the Cloud Shell command prompt, in thegolang-samples/cloudsql/mysql/database-sql directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    10. gcloudappdeploycmd/app/app.standard.yaml
  10. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  11. When prompted withDo you want to continue?, enterY.
  12. When the deploy command completes, run thegcloud app browse command:
    13. gcloudappbrowse
  13. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    14. View deployed sample app.

Java

Create and download SSL server and client certificates

For Java users, the connector already provides a secure connection so that creating and downloading SSL server and client certificates is unnecessary.

Create a Serverless VPC Connection for connections to the instance via Private IP

  1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

    Create Serverless VPC connector

  2. Enterquickstart-connector for theName.
  3. Selectdefault from theNetwork drop-down menu
  4. SelectCustom IP range from theSubnet drop-down menu
  5. Enter10.8.0.0 in theIP range input box
  6. ClickCreate to create the connector.

Build sample app

  1. In Cloud Shell Editor, open the sample app's source code.
    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thejava-docs-samples/cloud-sql/mysql/servlet/src/main/webapp/WEB-INF/appengine-web.xml file.
  6. Copy and paste the following code into theappengine-web.xml file, replacing the existing file content:
    7. <runtime>java17</runtime><env-variables><env-varname="INSTANCE_CONNECTION_NAME"value="project-name:region-name:instance-name"/><env-varname="DB_PORT"value="3306"/><env-varname="DB_USER"value="quickstart-user"/><env-varname="DB_PASS"value="my-db-password"/><env-varname="DB_NAME"value="quickstart-db"/></env-variables><vpc-access-connector><name>projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector</name><egress-setting>all-traffic</egress-setting></vpc-access-connector>
  7. Make the following variable replacements:
  8. At the Cloud Shell command prompt, in thejava-docs-samples/cloud-sql/mysql/servlet directory, run the followingApache Mavenmvn clean package command to deploy the sample app to App Engine standard environment.
    9. mvncleanpackageappengine:deploy-DskipTests
  9. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  10. When prompted withDo you want to continue?, enterY.
  11. When the deploy command completes, run thegcloud app browse command:
    12. gcloudappbrowse
  12. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    13. View deployed sample app.

Node.js

Create and download SSL server and client certificates

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Click thequickstart-instance to see itsOverview page
  3. Click theConnections tab.
  4. Under theSecurity section, clickCreate client certificate.
  5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

  6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

  1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

    Create Serverless VPC connector

  2. Enterquickstart-connector for theName.
  3. Selectdefault from theNetwork drop-down menu
  4. SelectCustom IP range from theSubnet drop-down menu
  5. Enter10.8.0.0 in theIP range input box
  6. ClickCreate to create the connector.

Build sample app with SSL certificates

  1. In Cloud Shell Editor, open the sample app's source code.
    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. Upload SSL certs files tocerts folder.
    1. From the Explorer navigation menu of Cloud Shell Editor, navigate to thenodejs-docs-samples/cloud-sql/mysql/mysql/certs folder.
    2. Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
    3. Select following files on your local machine:
      • client-key.pem
      • client-cert.pem
      • server-ca.pem
    4. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
  6. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thenodejs-docs-samples/cloud-sql/mysql/mysql/app.standard.yaml file.
  7. Copy and paste the following code into the file, replacing the existing file content:
    8. runtime:nodejs16env_variables:DB_USER:quickstart-userDB_PASS:MY_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:3306INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector
  8. Make the following variable replacements:
  9. At the Cloud Shell command prompt, in thenodejs-docs-samples/cloud-sql/mysql/mysql directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    10. gcloudappdeployapp.standard.yaml
  10. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  11. When prompted withDo you want to continue?, enterY.
  12. When the deploy command completes, run thegcloud app browse command:
    13. gcloudappbrowse
  13. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    14. View deployed sample app.

Python

Create and download SSL server and client certificates

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Click thequickstart-instance to see itsOverview page
  3. Click theConnections tab.
  4. Under theSecurity section, clickCreate client certificate.
  5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

  6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

  1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

    Create Serverless VPC connector

  2. Enterquickstart-connector for theName.
  3. Selectdefault from theNetwork drop-down menu
  4. SelectCustom IP range from theSubnet drop-down menu
  5. Enter10.8.0.0 in theIP range input box
  6. ClickCreate to create the connector.

Build sample app with SSL certificates

  1. In Cloud Shell Editor, open the sample app's source code.
    Open Cloud Shell Editor
  2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
  3. At the Cloud Shell command prompt, run the following command to activate your project:
    gcloudconfigsetprojectYOUR-PROJECT-ID
    Note: ReplaceYOUR-PROJECT-ID with your project ID.
  4. If anAuthorize Cloud Shell dialog box appears, then clickAuthorize.
  5. Upload SSL certs files tocerts folder.
    1. From the Explorer navigation menu of Cloud Shell Editor, navigate to thepython-docs-samples/cloud-sql/mysql/sqlalchemy/certs folder.
    2. Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
    3. Select following files on your local machine:
      • client-key.pem
      • client-cert.pem
      • server-ca.pem
    4. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
  6. From the Explorer navigation menu of Cloud Shell Editor, navigate to and open thepython-docs-samples/cloud-sql/mysql/sqlalchemy/app.standard.yaml file.
  7. Copy and paste the following code into the file, replacing the existing file content:
    8. runtime:python37entrypoint:gunicorn-b:$PORTapp:appenv_variables:DB_USER:quickstart-userDB_PASS:YOUR_DB_PASSWORDDB_NAME:quickstart-dbDB_PORT:3306INSTANCE_HOST:INSTANCE_HOSTDB_ROOT_CERT:certs/server-ca.pemDB_CERT:certs/client-cert.pemDB_KEY:certs/client-key.pemPRIVATE_IP:TRUEvpc_access_connector:name:projects/PROJECT_ID/locations/us-central1/connectors/quickstart-connector
  8. Make the following variable replacements:
  9. At the Cloud Shell command prompt, in thepython-docs-samples/cloud-sql/mysql/sqlalchemy directory, run the followinggcloud app deploy command to deploy the sample app to App Engine standard environment.
    10. gcloudappdeployapp.standard.yaml
  10. If you're prompted to choose the region for creating the app, then enter the numeric choice forus-central.
  11. When prompted withDo you want to continue?, enterY.
  12. When the deploy command completes, run thegcloud app browse command:
    13. gcloudappbrowse
  13. Click the generated link to see the sample app running on App Engine standard environment. This environment is connected to Cloud SQL.

    14. View deployed sample app.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Select thequickstart-instance instance to open theInstance detailspage.
  3. In the icon bar at the top of the page, clickDelete.
  4. In theDelete instance dialog box, typequickstart-instance, and thenclickDelete to delete the instance.Disabling your app stops it from running instances and serving requests.If your app is processing a request, your app completes the request before beingdisabled.

To disable an App Engine app and retain its data, do thefollowing:

  1. In the Google Cloud console, go to theSettings page:

    Go to Settings

  2. In theApplication settings tab, clickDisable application.

  3. In theApp ID field, enter the ID of the app you want to disable, andthen clickDisable.

Optional cleanup steps

If you're not using theCloud SQL client role that you assigned to theCompute Engine service account, you can remove it.

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. Click the edit icon (which looks like a pencil) for the IAM account namedCompute Engine default service account.
  3. Delete theCloud SQL client role.
  4. ClickSave.

If you're not using the APIs that were enabled as part of this quickstart, youcan disable them.

  • APIs that were enabled within this quickstart:
    • Compute Engine API
    • Cloud SQL Admin API
    • Cloud Run API
    • Container Registry API
    • Cloud Build API

  1. In the Google Cloud console, go to theAPIs page.

    Go to APIs

  2. Select any API that you would like to disable and then click theDisable API button.

What's next

Based on your needs, you can learn more aboutcreating Cloud SQL instances.

You also can learn about creatingMySQL users anddatabases for your Cloud SQL instance.

For more information about pricing, seeCloud SQL for MySQL pricing.

Learn more about:

  • Configuring your Cloud SQL instance with apublic IP address.
  • Configuring your Cloud SQL instance with aprivate IP address.

Additionally, you can learn about connecting to a Cloud SQL instance fromother Google Cloud applications:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.