Configure private IP

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to configure a Cloud SQL instance to useprivate IP.

For information about how private IP works, as well as environmentand management requirements, seePrivate IP.

Before you begin

API and IAM requirements

  • You must enable the Service Networking API for your Google Cloud project.

    • If you are using aShared VPC network, you also need to enable this API for the host project.

  • In order to manage a private services access connection, the user must have the following Identity and Access Management (IAM) permissions. If you don't have the required permissions you can get insufficient-permissions errors.
    • compute.networks.list
    • compute.addresses.create
    • compute.addresses.list
    • servicenetworking.services.addPeering

    If you are using aShared VPC network, you also need to add your user to the host project and assign the same permissions to the user on the host project.

Private services access

When youcreate a new Virtual Private Cloud (VPC) network in yourproject, you need toconfigure private services accessto allocate an IP address range and create a private service connection. Thisallows resources in the VPC network to connect to Cloud SQLinstances. The Google Cloud console providesa wizard to help you setup this configuration.

Assigning different VPC networks toCloud SQL for PostgreSQL instances with private IP addresses provides better isolationthan attaching all of them to thedefault VPCnetwork.

Configure an instance to use private IP

You can configure a Cloud SQL instance to use private IP when you createthe instance, or for an existing instance.

After you configure an instance to use private IP, youcannot disable private IP connectivity for that instance.

If you choose to let Cloud SQL allocate your private IP for aninstance, the addresses for all instances you later configure in that VPCnetwork are automatically allocated in the same IP address range.

For each project, there's an internal limit for the number of differentnetwork-region combinations in which Cloud SQL instances can be setup withPrivate Services Access. To avoid reaching this limit, we recommend reusingexisting available networks.

Configure private IP for a new instance

To configure a Cloud SQL instance to use private IP when creatingan instance:

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. ClickCreate instance.
  3. ExpandShow configuration options.
  4. ExpandConnections.
  5. SelectPrivate IP.

    A drop-down list shows the available VPC networks in your project. If your project is the service project of aShared VPC,then VPC networks from the host project are also shown.

  6. Select the VPC network you want to use.

    7. If you see a message indicating that you need to set up a private service connection, do the following:

    1. ClickSet up connection.
    2. In theAllocate an IP range section, select one of the following options:
      • Select one or more existing IP ranges or create a new one from the dropdown. The dropdown includes previously allocated ranges, if there are any, or you can selectAllocate a new IP range and enter a new range and name.
      • Use an automatically allocated IP range in your network.
      Note:You can specify an address range only for a primary instance, not for a read replica or clone.
    3. ClickContinue.
    4. ClickCreate connection.
    5. Verify that you see the message:Private service connection for networkVPC_NETWORK_NAME has been successfully created.
  7. Optionally, you can specify an allocated IP range for your instances to use for connections.
    1. ExpandShow allocated IP range option.
    2. Select an IP range from the drop-down menu.
  8. Optional. If you want to allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection, then selectEnable private path.
  9. Finish configuring your instance.
  10. ClickCreate instance.

gcloud

Before you create an instance using a private IP address, ensure that your project is configured for private services access.

Before using any of the request data, make the following replacements:

To specify the name of your VPC network, use the--network parameter. To disable public IP, use the--no-assign-ip flag.

Also, optionally, use the--enable-google-private-path parameter to allow other Google Cloud services such asBigQuery to access data in Cloud SQL and make queries against this data over a private IP connection. This parameter is valid only if:

  • You use the--no-assign-ip parameter.
  • You use the--network parameter to specify the name of the VPC network that you want to use to create a private connection.

Note: After you create an instance, you can'tassign an allocated range name for that instance. After you assign a range to aninstance, you can't modify the range.

gcloudbetasqlinstancescreateINSTANCE_ID\--project=PROJECT_ID\--network=projects/NETWORK_PROJECT_ID/global/networks/VPC_NETWORK_NAME\--no-assign-ip\--allocated-ip-range-name=RANGE_NAME\--enable-google-private-path\--database-version=DATABASE_VERSION\--cpu=NUMBER_OF_CPU\--memory=MEMORY_IN_GB\--region=REGION_NAME

Terraform

To configure private IP for a new instance, use the following Terraform resources:

resource "google_compute_network" "peering_network" {  name                    = "private-network"  auto_create_subnetworks = "false"}resource "google_compute_global_address" "private_ip_address" {  name          = "private-ip-address"  purpose       = "VPC_PEERING"  address_type  = "INTERNAL"  prefix_length = 16  network       = google_compute_network.peering_network.id}resource "google_service_networking_connection" "default" {  network                 = google_compute_network.peering_network.id  service                 = "servicenetworking.googleapis.com"  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]}resource "google_sql_database_instance" "default" {  name             = "private-ip-sql-instance"  region           = "us-central1"  database_version = "POSTGRES_14"  depends_on = [google_service_networking_connection.default]  settings {    tier = "db-custom-2-7680"    ip_configuration {      ipv4_enabled    = "false"      private_network = google_compute_network.peering_network.id    }  }}resource "google_compute_network_peering_routes_config" "peering_routes" {  peering              = google_service_networking_connection.default.peering  network              = google_compute_network.peering_network.name  import_custom_routes = true  export_custom_routes = true}# [START  cloud_sql_postgres_instance_private_ip_dns]## Uncomment this block after adding a valid DNS suffix# resource "google_service_networking_peered_dns_domain" "default" {#   name       = "example-com"#   network    = google_compute_network.peering_network.id#   dns_suffix = "example.com."#   service    = "servicenetworking.googleapis.com"# }

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

  1. LaunchCloud Shell.

  2. Set the default Google Cloud project where you want to apply your Terraform configurations.

    You only need to run this command once per project, and you can run it in any directory.

    export GOOGLE_CLOUD_PROJECT=PROJECT_ID

    Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

  1. InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
    mkdirDIRECTORY && cdDIRECTORY && touch main.tf

  2. If you are following a tutorial, you can copy the sample code in each section or step.

    Copy the sample code into the newly createdmain.tf.

    Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

  3. Review and modify the sample parameters to apply to your environment.
  4. Save your changes.
  5. Initialize Terraform. You only need to do this once per directory.
    terraform init

    Optionally, to use the latest Google provider version, include the-upgrade option:

    terraform init -upgrade

Apply the changes

  1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
    terraform plan

    Make corrections to the configuration as necessary.

  2. Apply the Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

    Wait until Terraform displays the "Apply complete!" message.

  3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

Delete the changes

To delete your changes, do the following:

  1. To disable deletion protection, in your Terraform configuration file set thedeletion_protection argument tofalse.
    deletion_protection =  "false"
  2. Apply the updated Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

  1. Remove resources previously applied with your Terraform configuration by running the following command and enteringyes at the prompt:

    terraform destroy

REST v1

Create a new instance with a private IP address:

Before using any of the request data, make the following replacements:

For theipv4Enabled parameter, set the value totrue if you're using a public IP address for your instance orfalse if your instance has a private IP address.

If you set theenablePrivatePathForGoogleCloudServices parameter totrue, then you allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection. By setting this parameter tofalse, other Google Cloud services can't access data in Cloud SQL over a private IP connection.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances

Request JSON body:

{  "name": "INSTANCE_ID",  "region": "region",  "databaseVersion": "database-version",  "settings": {    "tier": "machine-type",    "ipConfiguration": {      "ipv4Enabled": false,      "privateNetwork": "projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME",      "allocatedIpRange": "RANGE_NAME"      "authorizedNetworks": [AUTHORIZED_NETWORKS],            "enablePrivatePathForGoogleCloudServices": true          }  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-21T22:43:37.981Z",  "operationType": "CREATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

Create a new instance with a private IP address:

Before using any of the request data, make the following replacements:

  • PROJECT_ID: The project ID
  • INSTANCE_ID: The instance ID
  • VPC_NETWORK_NAME: Specify the name of the Virtual Private Cloud (VPC) network that you want to use for this instance. Private services access must already be configured for the network.
  • RANGE_NAME:Optional. If specified, sets a range name for which an IP range is allocated. The range name must comply withRFC-1035 and contain 1-63 characters.
  • AUTHORIZED_NETWORKS: For public IP connections, specify the connections from authorized networks that can connect to your instance.

For theipv4Enabled parameter, set the value totrue if you're using a public IP address for your instance orfalse if your instance has a private IP address.

If you set theenablePrivatePathForGoogleCloudServices parameter totrue, then you allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection. By setting this parameter tofalse, other Google Cloud services can't access data in Cloud SQL over a private IP connection.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances

Request JSON body:

{  "name": "INSTANCE_ID",  "region": "region",  "databaseVersion": "database-version",  "settings": {    "tier": "machine-type",    "ipConfiguration": {      "ipv4Enabled": false,      "privateNetwork": "projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME",      "allocatedIpRange": "RANGE_NAME"      "authorizedNetworks": [AUTHORIZED_NETWORKS],            "enablePrivatePathForGoogleCloudServices": true          }  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-21T22:43:37.981Z",  "operationType": "CREATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Configure private IP for an existing instance

Configuring an existing Cloud SQL instance to use private IPcauses the instance to restart, resulting in downtime.

Note: You can't assign a private IP address for an existing Cloud SQLinstance in a Shared VPC network. You also can't assign an allocatedrange name for an existing instance.

To configure an existing instance to use private IP:

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. SelectConnections from the Cloud SQL navigation menu.
  4. On theNetworking tab, select thePrivate IP checkbox.

    A drop-down list shows the available networks in your project.

  5. Select the VPC network you want to use:

    6. If you seePrivate service connection required:

    1. ClickSet up connection.
    2. In theAllocate an IP range section, choose one of the following options:
      • Select one or more existing IP ranges or create a new one from the dropdown. The drop down includes previously allocated ranges, if there are any, or you can selectAllocate a new IP range and enter a new range and name.
      • Use an automatically allocated IP range in your network.
      Note:You can specify an address range only for a primary instance, not for a read replica or clone.
    3. ClickContinue.
    4. ClickCreate connection.
    5. Verify that you see thePrivate service connection for networkVPC_NETWORK_NAME has been successfully created status.
  6. Optional. If you want to allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection, then select theEnable private path check box.
  7. ClickSave.

gcloud

Ensure your project is configured for private services access.

Update your Cloud SQL instance by using the--network parameter to specify the name of your selected VPC network.

gcloudbetasqlinstancespatchINSTANCE_ID\--project=PROJECT_ID\--network=projects/NETWORK_PROJECT_ID/global/networks/VPC_NETWORK_NAME\--no-assign-ip\--enable-google-private-path

REST v1

Create a new instance with a private IP address:

Before using any of the request data, make the following replacements:

  • PROJECT_ID: The project ID
  • INSTANCE_ID: The instance ID
  • VPC_NETWORK_NAME: Specify the name of the Virtual Private Cloud (VPC) network that you want to use for this instance. Private services access must already be configured for the network.
  • RANGE_NAME:Optional. If specified, sets a range name for which an IP range is allocated. The range name must comply withRFC-1035 and contain 1-63 characters.
  • AUTHORIZED_NETWORKS: For public IP connections, specify the connections from authorized networks that can connect to your instance.

For theipv4Enabled parameter, set the value totrue if you're using a public IP address for your instance orfalse if your instance has a private IP address.

If you set theenablePrivatePathForGoogleCloudServices parameter totrue, then you allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection. By setting this parameter tofalse, other Google Cloud services can't access data in Cloud SQL over a private IP connection.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings":  {    "ipConfiguration": {      "ipv4Enabled": false,      "privateNetwork": "projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME",      "allocatedIpRange": "RANGE_NAME"      "authorizedNetworks": [AUTHORIZED_NETWORKS],            "enablePrivatePathForGoogleCloudServices": true          }  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-21T22:43:37.981Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

Create a new instance with a private IP address:

Before using any of the request data, make the following replacements:

  • PROJECT_ID: The project ID
  • INSTANCE_ID: The instance ID
  • VPC_NETWORK_NAME: Specify the name of the Virtual Private Cloud (VPC) network that you want to use for this instance. Private services access must already be configured for the network.
  • RANGE_NAME:Optional. If specified, sets a range name for which an IP range is allocated. The range name must comply withRFC-1035 and contain 1-63 characters.
  • AUTHORIZED_NETWORKS: For public IP connections, specify the connections from authorized networks that can connect to your instance.

For theipv4Enabled parameter, set the value totrue if you're using a public IP address for your instance orfalse if your instance has a private IP address.

If you set theenablePrivatePathForGoogleCloudServices parameter totrue, then you allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over a private IP connection. By setting this parameter tofalse, other Google Cloud services can't access data in Cloud SQL over a private IP connection.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings":  {    "ipConfiguration": {      "ipv4Enabled": false,      "privateNetwork": "projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME",      "allocatedIpRange": "RANGE_NAME"      "authorizedNetworks": [AUTHORIZED_NETWORKS],            "enablePrivatePathForGoogleCloudServices": true          }  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-21T22:43:37.981Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Connect to an instance using its Private IP

You useprivate services accessto connect to Cloud SQL instances from Compute Engine or Google Kubernetes Engineinstances in the same VPC network (defined here asinternalsources) or from outside of that network (anexternal source).

Connect from an internal source

To connect from a source in the same Google Cloud project as your Cloud SQL instance, such as theCloud SQL Auth Proxy running on aCompute Engine resource, that resource must be in the same VPCnetwork where private services access has been established for theCloud SQL instance.

To connect from a serverless source, such asApp Engine standard environment,Cloud Run,orCloud Run functions,your application or function connects directly to your instance throughServerless VPC Access without the Cloud SQL Auth Proxy.

Connect from an external source

If an external network (for example, an on-premises network or a VPCnetwork), is connected to the VPC network to which yourCloud SQL instance is connected, then you can useCloud VPNorCloud Interconnect to connectto the instance from a client in the external network.

To permit connections from an external network, do the following:

  1. Ensure your VPC network is connected to the external network using a Cloud VPN tunnel or a VLAN attachment for Dedicated Interconnect or Partner Interconnect.
  2. Ensure the Border Gateway Protocol (BGP) sessions on the Cloud Routers managing your Cloud VPN tunnels and Cloud Interconnect attachments (VLANs) have received specific prefixes (destinations) from your on-premises network.

    Default routes (destination 0.0.0.0/0) cannot be imported into the Cloud SQL VPC network because that network has its own local default route. Local routes for a destination are used even though the Cloud SQL peering is configured to import custom routes from your VPC network.

  3. Identify the peering connections produced by the private services connection. Depending on the service, the private services connection might create one or more of the following peering connections, but not necessarily all of them:
    • cloudsql-mysql-googleapis-com
    • cloudsql-postgres-googleapis-com
    • servicenetworking-googleapis-com
  4. Updateall of the peering connections to enableExport custom routes.
  5. Identify the allocated range used by the private services connection.
  6. Configure Cloud Router custom advertisement mode for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

    7. Note:If you're using anon-RFC 1918 IP address range for your application, then to allow access from this range,configure the authorized network for your instance.

Connect from Cloud Shell

Cloud Shell doesn't support connecting to a Cloud SQLinstance that has only a private IP address.

Connect from non-RFC 1918 IP addresses

RFC 1918 specifies IPaddresses that are assigned to be used internally (that is, within anorganization) and will not route on the Internet. Specifically, these are:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Connections to a Cloud SQL instance using a private IP address areautomatically authorized forRFC 1918address ranges. This way, all private clients can access the databasewithout going through the proxy.

Note: You must configure all the non-RFC 1918 IP address ranges asauthorized networks of the Cloud SQL for PostgreSQL instances. Alternatively, you can connect to your instance using theCloud SQL Auth Proxy client.

To connect from a non-RFC 1918 IP address, you must setper-instance IP authorization to allow traffic from non-RFC 1918 IP addressranges.

For example, use agcloud command like the following:

gcloudsqlinstancespatchINSTANCE_NAME\--authorized-networks=192.88.99.0/24,11.0.0.0/24
Note: This command overwrites all existing authorized networks, so you mustinclude all desired authorized networks.

Cloud SQL doesn't learn non-RFC 1918 subnet routes from yourVPC network by default. You need to update the network peering toCloud SQL to export any non-RFC 1918 routes.

gcloudcomputenetworkspeeringsupdatecloudsql-postgres-googleapis-com\--network=VPC_NETWORK_NAME\--export-subnet-routes-with-public-ip\--project=PROJECT_ID

To mitigate IP address exhaustion, you can useprivately used public IP addresses.

Connect from privately used public IP addresses

If you want to configure your instance in a privately used public IP address range, then enableexport-subnet-routes-with-public-ip on the network peering between your networkand the Cloud SQL network.

gcloudcomputenetworkspeeringsupdatecloudsql-postgres-googleapis-com\--network=VPC_NETWORK_NAME\--export-subnet-routes-with-public-ip\--project=PROJECT_ID

    Replace the following:

  • cloudsql-postgres-googleapis-com is aPrivate Service Connection name from yourVPC network page.

    Select your network, and then look for thePrivate Service Connection section.

  • VPC_NETWORK_NAME is the name of your VPC network.
  • PROJECT_ID is the ID of the project of the VPC network. If you're using Shared VPC, then use the host project ID.

Connect to an instance configured with privately used public IP addresses

If your instance is configured in a privately used public IP address rangeand you want to connect to it,then enableimport-subnet-routes-with-public-ip on the network peeringbetween your network and the Cloud SQL network.

gcloudcomputenetworkspeeringsupdatecloudsql-postgres-googleapis-com\--network=VPC_NETWORK_NAME\--import-subnet-routes-with-public-ip\--project=PROJECT_ID

Replace the following:

  • cloudsql-postgres-googleapis-com is aPrivate Service Connection name from yourVPC network page.

    Select your network, then look for thePrivate Service Connection section.

  • VPC_NETWORK_NAME is the name of your VPC network.
  • PROJECT_ID is the ID of the project of the VPC network. Use the host project ID if you're using Shared VPC.

Connect by using a write endpoint

In addition to a private IP address, you can use a write endpoint in a SQL connection string. A write endpoint is a global domain name service (DNS) name that resolves to the IP address of the current primary instance automatically. By using a write endpoint, you can avoid having to make application connection changes when a region failure occurs.

If a replicafailover or switchover occurs, then the write endpoint can help manage private IP addresses of instances. When this happens, use the write endpoint to connect to the instance that acts as the primary instance.

Note: A write endpoint is available only for Cloud SQL Enterprise Plus edition instances that have private IP addresses and associated networks. For more information on creating instances that meet this criteria, seeCreate instances.

If you use theCloud SQL Auth Proxy, then you can't replace the IP address with the write endpoint. You must use the IP address to connect to the instance.

How Cloud SQL creates a write endpoint

If you enable the Cloud DNS API for your Google Cloud project, and then youcreate a primary Cloud SQL Enterprise Plus edition instance,promote the replica for the instance,orupgrade the instance from Cloud SQL Enterprise edition,Cloud SQL generates a write endpoint automatically and assigns it tothe instance.

For more information, seeView the write endpoint.

Assign a write endpoint to an instance

If you don't enable the Cloud DNS API for your Google Cloud project, and then youcreate, promote, or upgrade your instance, Cloud SQL doesn't assign thewrite endpoint to the instance automatically.

To have Cloud SQL generate a write endpoint and assign it to theinstance, seeGenerate the write endpoint.

Troubleshoot

See troubleshootingfor known connectivity issues, and alsodebugging connection issues for help with self-diagnostics.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-16 UTC.