Connect to an instance using Private Service Connect

MySQL | PostgreSQL | SQL Server

This page describes how to usePrivate Service Connect to connect to aCloud SQL instance.

You can use Private Service Connect to connect to either a primary Cloud SQL instance or any of itsread replicas from multiple Virtual Private Cloud (VPC) networks that belong to different groups, teams, projects, or organizations.

Note: If a Cloud SQL instance has Private Service Connect enabled, then thepostgres_fdw,dblink,Pl/Proxy, andpglogical PostgreSQL extensions can't be used with the instance. For more information about these extensions, see Configure PostgreSQL extensions.

Before you begin

Support for using Private Service Connect with a Cloud SQL instance is available forgcloud CLI versions 416.0.0 and later.

User roles

The following table provides information about the roles required to use Private Service Connect with a Cloud SQL instance:

Role	Description
`compute.networkAdmin`	Grants full control over the VPC network that initiates a connection to a Cloud SQL instance. You can create and manage IP addresses, firewall rules, service connection policies, andPrivate Service Connect endpoints. If you use Private Service Connect to connect to a Cloud SQL instance from multiple VPC networks, then each network has its own administrator.
`dns.admin`	Grants full control over Cloud DNS resources, includingDNS zones and records.
`cloudsql.admin`	Provides full control of a Cloud SQL instance and controls the instance over its lifecycle.
`cloudsql.instanceUser`	Provides access to the Cloud SQL instance. If you connect through the Cloud SQL Auth Proxy client, then you must have theCloud SQL Client role. If you connect directly, then you don't need anyIdentity and Access Management (IAM) roles and permissions.

Create a Private Service Connect endpoint

Private Service Connect endpoints are internal IP addresses in a consumer VPC network, which clients in that network can access directly. Clients can use these endpoints to connect to Cloud SQL instances.

You can either have Cloud SQL create a Private Service Connect endpointautomatically in your VPC or you can create the endpoint manually.

To have Cloud SQL create the Private Service Connect endpoint automatically, do the following:

Create a service connection policy in your VPC networks. With this policy, you can provision Private Service Connect endpoints automatically.
Create a Cloud SQL instance with Private Service Connect enabled for the instance, and configure the instance to create Private Service Connect endpoints automatically.
Retrieve the endpoint for the instance. This lets you use the endpoint to connect to the instance.

To create the Private Service Connect endpoint manually, do the following:

Create a Cloud SQL instance with Private Service Connect enabled for the instance.
Get the service attachment URI. You use this URI to create the Private Service Connect endpoint.
Reserve an internal IP address for the Private Service Connect endpoint andcreate an endpoint with that address.

Create the endpoint automatically

Preview

This product is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

The next few sections explain how to configure your instance to let Cloud SQL create the Private Service Connect endpoint automatically.

Create a service connection policy

Aservice connection policy lets you authorize a specified service class to create a Private Service Connect endpoint in your consumer VPC network. You can use the service connection policy to let Cloud SQL create Private Service Connect endpoints automatically.

You can create a service connection policy by using the Google Cloud console,gcloud CLI, or the API.

Console

In the Google Cloud console, go to thePrivate Service Connect page.
Go to Private Service Connect
Click theConnection Policies tab.
ClickCreate connection policy.
Enter aName for the connection policy.
Specify the service class by doing the following:
1. ForSource service class, selectGoogle services.
2. From theService class menu, selectgoogle-cloud-sql because Cloud SQL is the managed service for the connection policy.
In theTarget endpoints scope section, select aNetwork andRegion to which this policy applies.
In thePolicy section, select one or more subnets from theSubnetworks menu. The subnets are used to allocate IP addresses forendpoints.
Optional: Specify aConnection limit for the policy. The limitdetermines how many endpoints can be created by using this connectionpolicy. If you don't specify a connection limit, then there's no limit.
ClickCreate policy.

gcloud

To create a service connection policy, use theservice-connection-policies create command.

gcloud network-connectivity service-connection-policies createPOLICY_NAME \    --network=NETWORK \    --project=PROJECT_ID \    --region=REGION \    --service-class=SERVICE_CLASS \    --subnets=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNETS \    --psc-connection-limit=LIMIT \    --description="DESCRIPTION" \    --producer-instance-location=PRODUCER_INSTANCE_LOCATION \    --allowed-google-producers-resource-hierarchy-level=RESOURCE_HIERARCHY_LEVEL

Replace the following:

POLICY_NAME: the name of your service connectionpolicy.
NETWORK: the network to which this policy applies.
PROJECT_ID: the project ID or number of theVPC network's project. For Shared VPC networks,you must deploy service connection policies in the host project because thesepolicies aren't supported in service projects.
REGION: the region to which this policy applies. Thesame policy must exist for every region in which you want to automateservice connectivity.
SERVICE_CLASS: the producer-supplied resourceidentifier of the service class. For Cloud SQL, the service class isgoogle-cloud-sql.
SUBNETS: one or moreregular consumer subnets that are used toallocate IP addresses for Private Service Connect endpoints. TheseIP addresses are allocated automatically and returned to the subnet's poolas managed service instances are created and deleted. Thesubnets must be in the same region as the service connection policy. If multiple connection policiesshare the same region, then you canreuse the same subnetwork in these policies. You can enter multiple subnets in a comma-separatedlist.
LIMIT: the maximum number of endpoints that you can create by using this policy. If you don't specify a limit, then there's no limit.
DESCRIPTION: an optional description of theservice connection policy.
PRODUCER_INSTANCE_LOCATION: use this optional flagto specify whether to authorize a custom hierarchy of the locations for aCloud SQL instance. You can set the value ofPRODUCER_INSTANCE_LOCATION to only one of the following:
- custom-resource-hierarchy-levels: the instance must be located in one of the projects, folders, or organizations that you provide as a value for theallowed-google-producers-resource-hierarchy-level parameter.
- none: the instance is in the same project as the service connection policy.
RESOURCE_HIERARCHY_LEVEL: a list of projects,folders, or organizations where the instance is located. This list is in the form ofprojects/PROJECT_ID,folders/FOLDER_ID, ororganizations/ORGANIZATION_ID.

For example, the following command creates a service connection policyfor the
google-cloud-sql service class that allocates IPaddresses from themanaged-services subnet. A maximum of 10 Private Service Connect endpoints can be created by usingthis policy. The endpoints must be created in projects that are in the sameorganization as the managed service instance. The Cloud SQL instance is located in themyproject project.

gcloud network-connectivity service-connection-policies create cloud-sql-policy \    --network=default \    --project=my-project \    --region=us-central1 \    --service-class=google-cloud-sql \    --subnets=managed-service-subnet \    --psc-connection-limit=10 \    --producer-instance-location=custom-resource-hierarchy-levels \    --allowed-google-producers-resource-hierarchy-level=projects/myproject

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID of your project.
REGION: the region of your service connection policy.
POLICY_NAME: the name of your service connection policy.
DESCRIPTION: an optional description of your service connection policy.
NETWORK: the network of your service connection policy.
LIMIT: the maximum number of endpoints that you can create by using this policy. If you don't specify a limit, then there's no limit.
SUBNETS: one or moreregular consumer subnets that are used to allocate IP addresses for Private Service Connect endpoints. These IP addresses are allocated automatically and returned to the subnet's pool as managed service instances are created and deleted. The subnets must be in the same region as the service connection policy. If multiple connection policies share the same region, then you can reuse the same subnetwork in these policies. You can enter multiple subnets in a comma-separated list.
SERVICE_CLASS: the producer-supplied resource identifier of the service class.

HTTP method and URL:

POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/serviceConnectionPolicies?serviceConnectionPolicyId=POLICY_NAME

Request JSON body:

{  "description": "DESCRIPTION",  "network": "projects/PROJECT_ID/global/networks/NETWORK",  "pscConfig": {    "limit": "LIMIT",    "subnetworks": [      "projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET"    ]  },  "serviceClass": "SERVICE_CLASS"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/serviceConnectionPolicies?serviceConnectionPolicyId=POLICY_NAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/serviceConnectionPolicies?serviceConnectionPolicyId=POLICY_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "name": "projects/PROJECT_ID/locations/REGION/operations/OPERATION_ID",  "metadata": {    "@type": "type.googleapis.com/google.cloud.networkconnectivity.v1.OperationMetadata",    "createTime": "2023-08-15T16:59:29.236110917Z",    "target": "projects/PROJECT_ID/locations/REGION/serviceConnectionPolicies/POLICY_NAME",    "verb": "create",    "requestedCancellation": false,    "apiVersion": "v1"  },  "done": false}

Create a Cloud SQL instance

You can create an instance with Private Service Connect enabled for the instance and configure the instance to create endpoints automatically by using gcloud CLI or the API.

Note:After you create the instance, a Private Service Connect endpoint is automatically created in the VPC networks that you specify. However, the endpoint might not be created because of reasons such as the specified network doesn't exist, there's no valid service connection policy, or there aren't any available IP addresses. If this occurs, then the endpoint won't be created. Optionally, you can create Private Service Connect endpoints manually.

gcloud

To create an instance with Private Service Connect enabled for the instance, use thegcloud sql instances create command:

gcloudsqlinstancescreateINSTANCE_NAME\--project=PROJECT_ID\--region=REGION_NAME\--enable-private-service-connect\--allowed-psc-projects=ALLOWED_PROJECTS\--availability-type=AVAILABILITY_TYPE\--no-assign-ip\--tier=MACHINE_TYPE\--database-version=DATABASE_VERSION\--psc-auto-connections=network=CONSUMER_NETWORK,project=CONSUMER_PROJECT

Make the following replacements:

INSTANCE_NAME: the name of the instance.
PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.
REGION_NAME: the region name for the instance.
ALLOWED_PROJECTS: a comma-separated list of allowed project IDs or numbers from where Private Service Connect endpoints can connect to Cloud SQL instances.
If a project isn't contained in this list, then you can't createPrivate Service Connect endpoints in the project to connect to the instance.
AVAILABILITY_TYPE: enables high availability for the instance. For this parameter, specify one of the following values:
- REGIONAL: enables high availability and is recommended for production instances. The instance fails over to another zone within your selected region.
- ZONAL: provides no failover capability. This is the default value.
For more information about setting and removing high availability for instances, seeConfigure an existing instance for high availability andDeactivate high availability for an instance.
MACHINE_TYPE: the machine type for the instance.
DATABASE_VERSION: the database version for the instance (for example,POSTGRES_13).
CONSUMER_NETWORK: the path to the VPC network from where Private Service Connect endpoints need to be created. For example:
projects/my-host-project/global/networks/default.
CONSUMER_PROJECT: the project where the Private Service Connect endpoint is created. If you're using a Shared VPC network, then this can be either the host project or the service project.
Any projects that you specify in the auto-connection parameters are added to your allowed projects automatically. Optionally, for any projects where you want tocreate Private Service Connect endpoints manually, you can add these projects to your list of allowed projects.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.
INSTANCE_NAME: the name of the instance.
REGION_NAME: the region name for the instance.
AVAILABILITY_TYPE: enables high availability for the instance. For this parameter, specify one of the following values:
- REGIONAL: enables high availability and is recommended for production instances. The instance fails over to another zone within your selected region.
- ZONAL: provides no failover capability. This is the default value.
For more information about setting and removing high availability for instances, seeConfigure an existing instance for high availability andDeactivate high availability for an instance.
ALLOWED_PROJECTS: a comma-separated list of allowed project IDs or numbers from where Private Service Connect endpoints can connect to Cloud SQL instances.
If a project isn't contained in this list, then you can't createPrivate Service Connect endpoints in the project to connect to the instance.
MACHINE_TYPE: the machine type for the instance.
CONSUMER_NETWORK: the VPC network where you want to allow automatic creation of Private Service Connect endpoints.
PARENT_PROJECT: the project that contains the networkCONSUMER_NETWORK. If you don't specify a different project inCONSUMER_PROJECT, endpoints are automatically created inPARENT_PROJECT
CONSUMER_PROJECT: Optional. Only specify this ifCONSUMER_NETWORK is a Shared VPC network and you want to allow automatic creation of Private Service Connect endpoints in a service project.
Any projects that you specify in the auto-connection parameters are added to your allowed projects automatically. Optionally, for any projects where you want tocreate Private Service Connect endpoints manually, you can add these projects to your list of allowed projects.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances

Request JSON body:

{  "name": "INSTANCE_NAME",  "project":PROJECT_ID",  "region": "REGION_NAME",  "databaseVersion": "POSTGRES_13",  "kind": "sql#instance",  "settings": {    "availabilityType": "AVAILABILITY_TYPE",    "ipConfiguration": {      "ipv4Enabled": false,      "pscConfig": {        "allowedConsumerProjects": [          "ALLOWED_PROJECTS"        ],        "pscAutoConnections": [          {            "consumerProject":"CONSUMER_PROJECT",            "consumerNetwork":"projects/PARENT_PROJECT/global/networks/CONSUMER_NETWORK"          }        ],        "pscEnabled": true      }    },    "kind": "sql#settings",    "pricingPlan": "PER_USE",    "replicationType": "SYNCHRONOUS",    "tier": "MACHINE_TYPE"  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME",  "status": "RUNNING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "startTime": "2023-06-14T18:48:35.499Z",  "operationType": "CREATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_NAME",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Retrieve the endpoint

By retrieving the internal IP address, which is the Private Service Connect endpoint for an instance, you can use this endpoint toconnect to the instance.

gcloud

To view information about an instance, including the IP address that's the Private Service Connect endpoint for the instance, use thegcloud sql instances describe command:

gcloudsqlinstancesdescribeINSTANCE_NAME\--project=PROJECT_ID\--format='json(settings.ipConfiguration.pscConfig.pscAutoConnections)'

Make the following replacements:

INSTANCE_NAME: the name of the Cloud SQL instance. If this instance hasPrivate Service Connect enabled for it, thenPrivate Service Connect endpoints in VPC networks can connect to it.
PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.

In the response, note the value that appears next to thepscConfig:pscAutoConnections:ipAddress field. This value is the internal IP address that's also the Private Service Connect endpoint for the instance.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.
INSTANCE_NAME: the name of the Cloud SQL instance. If this instance hasPrivate Service Connect enabled for it, thenPrivate Service Connect endpoints in VPC networks can connect to it.

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#instance",  "state": "RUNNABLE",  "databaseVersion": "POSTGRES_13",  "settings": {    "authorizedGaeApplications": [],    "tier": "db-custom-2-7680",    "kind": "sql#settings",    "availabilityType": "REGIONAL",    "pricingPlan": "PER_USE",    "replicationType": "SYNCHRONOUS",    "activationPolicy": "ALWAYS",    "ipConfiguration": {      "authorizedNetworks": [],      "pscConfig": {        "allowedConsumerProjects": [          "ALLOWED_PROJECTS"        ],      "pscAutoConnections": {        consumerNetwork:"projects/PARENT_PROJECT/global/networks/CONSUMER_NETWORK",        consumerNetworkStatus:"CONSUMER_NETWORK_STATUS",        consumerProject:"CONSUMER_PROJECT",ipAddress:"IP_ADDRESS",status:"STATUS"        },        "pscEnabled": true      },      "ipv4Enabled": false    },}

The following fields exist for instances that have Private Service Connect enabled for them:

allowedConsumerProjects: a list of theallowed projects for the instance. You can create Private Service Connect endpoints from any VPC networks in these projects to theservice attachment of the instance.
pscAutoConnections: the allowed VPC network, the status of the service connection policy, and the status of the IP address that's the endpoint for the instance.
pscEnabled: whether an instance has Private Service Connect enabled for it.

To see how to construct theunderlying REST API request for this task, see theinstances:get page.

Create the endpoint manually

The next few sections explain how to create a Private Service Connect endpoint manually.

Create a Cloud SQL instance

You can create an instance with Private Service Connect enabled for the instance by using gcloud CLI, Terraform, or the API.

Note:You can now create an instance that supportsboth private services access and Private Service Connect. By using Private Service Connect, you can connect to either a primary instance or any of its read replicas from multiple VPC networks. For more information, see Configure both private services access and Private Service Connect.

gcloud

To create an instance with Private Service Connect enabled for the instance, use thegcloud sql instances create command:

gcloudsqlinstancescreateINSTANCE_NAME\--project=PROJECT_ID\--region=REGION_NAME\--enable-private-service-connect\--allowed-psc-projects=ALLOWED_PROJECTS\--availability-type=AVAILABILITY_TYPE\--no-assign-ip\--tier=MACHINE_TYPE\--database-version=DATABASE_VERSION

Make the following replacements:

INSTANCE_NAME: the name of the instance.
PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.
REGION_NAME: the region name for the instance.
ALLOWED_PROJECTS: a comma-separated list of allowed project IDs or numbers from where Private Service Connect endpoints can connect to Cloud SQL instances.
If a project isn't contained in this list, then you can't createPrivate Service Connect endpoints in the project to connect to the instance.
AVAILABILITY_TYPE: enable high availability for the instance. For this parameter, specify one of the following values:
- REGIONAL: enables high availability and is recommended for production instances. The instance fails over to another zone within your selected region.
- ZONAL: provides no failover capability. This is the default value.
For more information about setting and removing high availability for instances, seeConfigure an existing instance for high availability andDeactivate high availability for an instance.
MACHINE_TYPE: the machine type for the instance.
DATABASE_VERSION: the database version for the instance (for example,POSTGRES_13).

Terraform

To create an instance with Private Service Connect enabled for the instance, use thegoogle_sql_database_instanceTerraform resource.

resource "google_sql_database_instance" "default" {  name             = "postgres-instance"  region           = "us-central1"  database_version = "POSTGRES_14"  settings {    tier              = "db-custom-2-7680"    availability_type = "REGIONAL"    backup_configuration {      enabled = true    }    ip_configuration {      psc_config {        psc_enabled               = true        allowed_consumer_projects = []      }      ipv4_enabled = false    }  }}

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
```
mkdirDIRECTORY && cdDIRECTORY && touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly createdmain.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the-upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and enteringyes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID or project number of the Google Cloud project that contains the instance.
INSTANCE_NAME: the name of the instance.
REGION_NAME: the region name for the instance.
AVAILABILITY_TYPE: enables high availability for the instance. For this parameter, specify one of the following values:
- REGIONAL: enables high availability and is recommended for production instances. The instance fails over to another zone within your selected region.
- ZONAL: provides no failover capability. This is the default value.
For more information about setting and removing high availability for instances, seeConfigure an existing instance for high availability andDeactivate high availability for an instance.
ALLOWED_PROJECTS: a comma-separated list of allowed project IDs or numbers from where Private Service Connect endpoints can connect to Cloud SQL instances.
If a project isn't contained in this list, then you can't createPrivate Service Connect endpoints in the project to connect to the instance.
MACHINE_TYPE: the machine type for the instance.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances

Request JSON body:

{  "name": "INSTANCE_NAME",  "project":PROJECT_ID",  "region": "REGION_NAME",  "databaseVersion": "POSTGRES_13",  "kind": "sql#instance",  "settings": {    "availabilityType": "AVAILABILITY_TYPE",    "ipConfiguration": {      "ipv4Enabled": false,      "pscConfig": {        "allowedConsumerProjects": [          "ALLOWED_PROJECTS"        ],        "pscEnabled": true      }    },    "kind": "sql#settings",    "pricingPlan": "PER_USE",    "replicationType": "SYNCHRONOUS",    "tier": "MACHINE_TYPE"  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME",  "status": "RUNNING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "startTime": "2023-06-14T18:48:35.499Z",  "operationType": "CREATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_NAME",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Get the service attachment

After creating a Cloud SQL instance with Private Service Connect enabled, get the service attachment URI and use it to create the Private Service Connect endpoint.

gcloud

To view summary information about an instance with Private Service Connect enabled, such as thepscServiceAttachmentLink field which displays the URI that points to the service attachment of the instance, use thegcloud sql instances describe command:

gcloudsqlinstancesdescribeINSTANCE_NAME\--project=PROJECT_ID

Note:The service attachment URI is used to create the Private Service Connect endpoint.

Make the following replacements:

INSTANCE_NAME: the name of the Cloud SQL instance to which Private Service Connect endpoints in VPC networks can connect
PROJECT_ID: the ID or project number of the Google Cloud project that contains the instance

The following example shows a sample output for this command:

gcloudsqlinstancesdescribemyinstance\--project=12345...pscServiceAttachmentLink:projects/45678/regions/myregion/serviceAttachments/myserviceattachment

Terraform

To get the service attachment URI, use thegoogle_compute_addressTerraform resource.

resource "google_compute_address" "default" {  name         = "psc-compute-address"  region       = "us-central1"  address_type = "INTERNAL"  subnetwork   = "default"     # Replace value with the name of the subnet here.  address      = "10.128.0.42" # Replace value with the IP address to reserve.}data "google_sql_database_instance" "default" {  name = resource.google_sql_database_instance.default.name}resource "google_compute_forwarding_rule" "default" {  name                    = "psc-forwarding-rule-${google_sql_database_instance.default.name}"  region                  = "us-central1"  network                 = "default"  ip_address              = google_compute_address.default.self_link  load_balancing_scheme   = ""  target                  = data.google_sql_database_instance.default.psc_service_attachment_link  allow_psc_global_access = true}

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
```
mkdirDIRECTORY && cdDIRECTORY && touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly createdmain.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the-upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and enteringyes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID or project number of the Google Cloud project that contains the instance
INSTANCE_NAME: the name of the instance

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  ...  pscServiceAttachmentLink: "projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME"}

ThepscServiceAttachmentLink field displays the URI that points to the service attachment of the instance.

Create a Private Service Connect endpoint

You can reserve an internal IP address for the Private Service Connect endpoint andcreate an endpoint with that address. To create the endpoint, you need theservice attachment URI and the projects that are allowed for the instance.

gcloud

To reserve an internal IP address for the Private Service Connect endpoint, use the
gcloud compute addresses create command:
```
gcloudcomputeaddressescreateADDRESS_NAME\--project=PROJECT_ID\--region=REGION_NAME\--subnet=SUBNET_URI\--addresses=INTERNAL_IP_ADDRESS
```
Make the following replacements:
- ADDRESS_NAME: the name of the internal IP address.
- PROJECT_ID: the ID orproject number of the Google Cloud project for the endpoint.
- REGION_NAME: the region name for the endpoint.
- SUBNET_URI: the subnet name for the IP address. The format is:projects/SUBNET_PROJECT_ID/regions/REGION_NAME/subnetworks/SUBNET_NAME. If the subnet is in a Shared VPC network, then we recommend that theSUBNET_PROJECT_ID is the host project.
- INTERNAL_IP_ADDRESS: the IP address to reserve. This IP address must be within the subnet's primary IP range. The IP address can be anRFC 1918 address or a subnet with non-RFC ranges. If you don't want to specify the IP address because you want Google Cloud to reserve an available IP address in the subnet, then omit this flag.
To verify that the IP address is reserved, use thegcloud compute addresses list command:
```
gcloudcomputeaddresseslistADDRESS_NAME\--project=PROJECT_ID
```
In the response, verify that aRESERVED status appears for the IP address.
To create the Private Service Connect endpoint and point it to the Cloud SQL service attachment, use thegcloud compute forwarding-rules create command:
```
gcloudcomputeforwarding-rulescreateENDPOINT_NAME\--address=ADDRESS_NAME\--project=PROJECT_ID\--region=REGION_NAME\--network=NETWORK_URI\--target-service-attachment=SERVICE_ATTACHMENT_URI\--allow-psc-global-access
```
Make the following replacements:
- ENDPOINT_NAME: the name of the endpoint
- NETWORK_URI: the URI of the VPC network for the endpoint. The format is:projects/NETWORK_PROJECT_ID/global/networks/NETWORK_NAME. If you want to use a Shared VPC network, then specify the host project as theNETWORK_PROJECT_ID.
- SERVICE_ATTACHMENT_URI: the URI of the service attachment
By using the optional--allow-psc-global-access parameter, clients from all regions can access this forwarding rule.
To verify that the service attachment accepts the endpoint, use the
gcloud compute forwarding-rules describe command:
```
gcloudcomputeforwarding-rulesdescribeENDPOINT_NAME\--project=PROJECT_ID\--region=REGION_NAME
```
In the response, verify that anACCEPTED status appears for thepscConnectionStatus field. The endpoint can connect to the service attachment.

Terraform

To create a Private Service Connect endpoint, use thegoogle_sql_database_instanceTerraform resource.

resource "google_compute_address" "default" {  name         = "psc-compute-address"  region       = "us-central1"  address_type = "INTERNAL"  subnetwork   = "default"     # Replace value with the name of the subnet here.  address      = "10.128.0.42" # Replace value with the IP address to reserve.}data "google_sql_database_instance" "default" {  name = resource.google_sql_database_instance.default.name}resource "google_compute_forwarding_rule" "default" {  name                    = "psc-forwarding-rule-${google_sql_database_instance.default.name}"  region                  = "us-central1"  network                 = "default"  ip_address              = google_compute_address.default.self_link  load_balancing_scheme   = ""  target                  = data.google_sql_database_instance.default.psc_service_attachment_link  allow_psc_global_access = true}

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

LaunchCloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
```
mkdirDIRECTORY && cdDIRECTORY && touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly createdmain.tf.
Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the-upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and enteringyes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

REST

Reserve an internal IP address for the Private Service Connect endpoint.
Note:You can't use the API to reserve an internal IP address for the endpoint. To reserve this address, use the gcloud compute addresses create command.
Verify that the IP address is reserved.
Before using any of the request data, make the following replacements:
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the Private Service Connect endpoint
- REGION_NAME: the name of the region
- ADDRESS_NAME: the name of the IP address
HTTP method and URL:
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
```
{  "kind": "compute#address",  "id": "ADDRESS_ID",  "creationTimestamp": "2024-05-09T11:20:50.114-07:00",  "name": "ADDRESS_NAME",  "description": "This is the name of the internal IP address.",  "address": "IP_ADDRESS","status": "RESERVED",  "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME",  "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME",  "networkTier": "PREMIUM",  "labelFingerprint": "LABEL_FINGERPRINT_ID",  "addressType": "EXTERNAL"}
```
In the response, verify that aRESERVED status appears for the IP address.
Create the Private Service Connect endpoint and point it to the Cloud SQL service attachment.
Note:You can't use the API to create the Private Service Connect endpoint. To create this endpoint, use the gcloud compute forwarding-rules create command.

Verify that the service attachment accepts the endpoint.

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the Private Service Connect endpoint
REGION_NAME: the name of the region
ENDPOINT_NAME: the name of the endpoint

HTTP method and URL:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules/ENDPOINT_NAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules/ENDPOINT_NAME"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules/ENDPOINT_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "compute#forwardingRule",  "id": "ENDPOINT_ID",  "creationTimestamp": "2024-05-09T12:03:21.383-07:00",  "name": "ENDPOINT_NAME",  "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME",  "IPAddress": "IP_ADDRESS",  "target": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",  "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules/ENDPOINT_NAME",  "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/default",  "serviceDirectoryRegistrations": [    {      "namespace": "goog-psc-default"    }  ],  "networkTier": "PREMIUM",  "labelFingerprint": "LABEL_FINGERPRINT_ID",  "fingerprint": "FINGERPRINT_ID",  "pscConnectionId": "CONNECTION_ID","pscConnectionStatus": "ACCEPTED",  "allowPscGlobalAccess": true}

In the response, verify that anACCEPTED status appears for thepscConnectionStatus field. The endpoint can connect to the service attachment.

Connect to a Cloud SQL instance

You can connect to a Cloud SQL instance with Private Service Connect enabled by using an internal IP address, a DNS record, the Cloud SQL Auth Proxy, the Cloud SQL Language Connectors, or other Google Cloud applications.

Configure a DNS managed zone and a DNS record

Cloud SQL doesn't create DNS records automatically. Instead, the instance lookup API response provides a suggested DNS name. We recommend that you create the DNS record in aprivate DNS zone in the corresponding VPC network. This provides a consistent way of using the Cloud SQL Auth Proxy to connect from different networks.

Important:If you're using the Cloud SQL Auth Proxy or theCloud SQL Language Connectors, then set up aDNS record which matches the recommended DNS name provided for the instance. For more information, seeConnect using the Cloud SQL Auth Proxy.

For more information about best practices for private DNS zones, including how to allow on-premises hosts to query DNS records that are hosted in these zones, seeBest practices for Cloud DNS private zones.

gcloud

To view summary information about a Cloud SQL instance, including the DNS name of the instance, use thegcloud sql instances describe command:
```
gcloudsqlinstancesdescribeINSTANCE_NAME\--project=PROJECT_ID
```
Make the following replacements:
- INSTANCE_NAME: the name of the Cloud SQL instance
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance
In the response, verify that the DNS name appears. This name has the following pattern:INSTANCE_UID.PROJECT_DNS_LABEL.REGION_NAME.sql.goog.. For example:1a23b4cd5e67.1a2b345c6d27.us-central1.sql.goog..
Note: DNS names always end with a period (.).
If you want to use a custom DNS name to connect to a Cloud SQL instance instead of using the predefined DNS name in this section, then configure the custom subject alternative name (SAN) setting while creating the instance. The custom DNS name that you insert into the custom SAN setting is added to the SAN field of the server certificate of the instance. This lets you use the custom DNS name with hostname validation securely.
For more information about configuring the custom SAN setting, see Create instances.
To create a private DNS zone, use thegcloud dns managed-zones create command. This zone is associated with the VPC network that's used to connect to the Cloud SQL instance through the Private Service Connect endpoint.
Note: For each VPC network, create a DNS zone.
```
gclouddnsmanaged-zonescreateZONE_NAME\--project=PROJECT_ID\--description="DESCRIPTION"\--dns-name=DNS_NAME\--networks=NETWORK_NAME\--visibility=private
```
Make the following replacements:
- PROJECT_ID: the ID or project number of the Google Cloud project that contains the zone
- DESCRIPTION: a description of the zone (for example, a DNS zone for the Cloud SQL instance)
- DNS_NAME: the name of the DNS suffix for the zone, such asREGION_NAME.sql.goog. (whereREGION_NAME is the region name for the zone)
- NETWORK_NAME: the name of the VPC network
After youcreate the Private Service Connect endpoint, to create a DNS record in the zone, use thegcloud dns record-sets create command:
```
gclouddnsrecord-setscreateDNS_RECORD\--project=PROJECT_ID\--type=RRSET_TYPE\--rrdatas=RR_DATA\--zone=ZONE_NAME
```
Make the following replacements:
- DNS_RECORD: the name of the DNS record. This record is set to the DNS name that you retrieved from the Cloud SQL instance earlier in this procedure (for example,1a23b4cd5e67.1a2b345c6d27.us-central1.sql.goog.).
- RRSET_TYPE: the resource record type of the DNS record set (for example,A).
- RR_DATA: the IP address allocated for the Private Service Connect endpoint (for example,198.51.100.5). You can also enter multiple values such asrrdata1 rrdata2 rrdata3 (for example,10.1.2.3 10.2.3.4 10.3.4.5).

REST

Get the DNS name of a Cloud SQL instance.

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance
INSTANCE_NAME: the name of the instance

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  ...  "dnsName": "INSTANCE_ID.PROJECT_DNS_LABEL.REGION_NAME.sql.goog."}

ThednsName field displays the DNS name of the Cloud SQL instance. DNS names always end with a period (.).

Create a private DNS zone. This zone is associated with the VPC network that's used to connect to the Cloud SQL instance through the Private Service Connect endpoint.

Note: For each VPC network, create a DNS zone.

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID or project number of the Google Cloud project that contains the DNS zone
ZONE_NAME: the name of the zone
DESCRIPTION: a description of the zone (for example, a DNS zone for the Cloud SQL instance)
DNS_NAME: the name of the DNS suffix for the zone, such asREGION_NAME.sql.goog. (whereREGION_NAME is the region name for the zone)
NETWORK_NAME: the name of the VPC network

HTTP method and URL:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones

Request JSON body:

{  "name": "ZONE_NAME",  "description": "DESCRIPTION",  "dnsName": "DNS_NAME",  "visibility": "private",  "privateVisibilityConfig": {    "kind": "dns#managedZonePrivateVisibilityConfig",    "networks": [      {        "kind": "dns#managedZonePrivateVisibilityConfigNetwork",        "networkUrl": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME"      }    ]  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "name": "ZONE_NAME",  "dnsName": "DNS_NAME",  "description": "DESCRIPTION",  "id": "ID",  "nameServers": [    "ns-gcp-private.googledomains.com."  ],  "creationTime": "2024-05-10T17:05:34.607Z",  "visibility": "private",  "privateVisibilityConfig": {    "networks": [      {        "networkUrl": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME",        "kind": "dns#managedZonePrivateVisibilityConfigNetwork"      }    ],    "gkeClusters": [],    "kind": "dns#managedZonePrivateVisibilityConfig"  },  "cloudLoggingConfig": {    "kind": "dns#managedZoneCloudLoggingConfig"  },  "kind": "dns#managedZone"}

After youcreate the Private Service Connect endpoint, create a DNS record in the zone.

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the DNS zone.
ZONE_NAME: the name of the zone.
DNS_RECORD: the name of the DNS record. This record is set to the DNS name that you retrieved from the Cloud SQL instance earlier in this procedure (for example,1a23b4cd5e67.1a2b345c6d27.us-central1.sql.goog.).
RRSET_TYPE: the type of the record set (for example,A).
TTL: the time to live (TTL) for the record set in the number of seconds (for example,300).
RR_DATA: the IP address allocated for the Private Service Connect endpoint (for example,198.51.100.5). You can also enter multiple values such asrrdata1 rrdata2 rrdata3 (for example,10.1.2.3 10.2.3.4 10.3.4.5).

HTTP method and URL:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/ZONE_NAME

Request JSON body:

{  "deletions": []  "additions": [    {      "name": "DNS_RECORD",      "type": "RRSET_TYPE",      "ttl":TTL,      "rrdatas": [        "RR_DATA"      ]    }  ]}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/ZONE_NAME"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/ZONE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "additions": [    {      "name": "DNS_RECORD",      "type": "RRSET_TYPE",      "ttl":TTL,      "rrdatas": [        "RR_DATA"      ],      "signatureRrdatas": [],      "kind": "dns#resourceRecordSet"    }  ],  "deletions": [],  "startTime": "2024-05-10T17:29:44.375Z",  "id": "CHANGE_ID",  "status": "pending",  "kind": "dns#change"}

Note:If you're using this DNS record to

connect to the Cloud SQL instance

CHANGE_ID

Connect directly using a DNS record

Before connecting to a Cloud SQL instance using a DNS record, do the following:

Create a Private Service Connect endpoint.
Confirm that the service attachment of the instance accepts the endpoint. To verify that the status of the endpoint isACCEPTED,check the status.
Configure a DNS managed zone and a DNS record.

After you meet these conditions, use the DNS record to connect to the instance from any VPC network where you created the endpoint.

psql"sslmode=disable dbname=DATABASE_NAME user=USERNAME host=DNS_RECORD"

Make the following replacements:

DATABASE_NAME: the name of the Cloud SQL for PostgreSQL database that's contained within the instance
USERNAME: the name of the user that's connecting to the instance
DNS_RECORD: the endpoint's DNS record

Connect directly through an internal IP address

Before connecting to a Cloud SQL instance with Private Service Connect enabled, do the following:

Create a Private Service Connect endpoint.
Confirm that the service attachment of the instance accepts the endpoint. To verify that the status of the endpoint isACCEPTED,check the status.

After you meet these conditions, use the endpoint's IP address to access the instance from any VPC network where you created the endpoint.

Retrieve the internal IP address of the Private Service Connectendpoint using the name of the endpoint's IP address.
Note:You can use the commands in this section toretrieve the internal IP addresses of all endpoints that are created bothmanaully and automatically. To retrieve the internal IP addresses ofendpoints that are created automatically, seeRetrieve the endpoint.
gcloud
To retrieve the IP address, use thegcloud compute addresses describe command:
```
gcloudcomputeaddressesdescribeADDRESS_NAME\--project=PROJECT_ID\--region=REGION_NAME
```
Make the following replacements:
- ADDRESS_NAME: the name of the endpoint's IP address
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the endpoint
- REGION_NAME: the region name for the endpoint
In the response, verify that an IP address appears for theaddress field. This is the internal IP address.
REST
Before using any of the request data, make the following replacements:
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the endpoint
- REGION_NAME: the region name for the endpoint
- ADDRESS_NAME: the name of the endpoint's IP address
HTTP method and URL:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "kind": "compute#address", "id": "ADDRESS_ID", "creationTimestamp": "2024-05-09T11:20:50.114-07:00", "name": "ADDRESS_NAME", "description": "This is the name of the internal IP address.","address": "IP_ADDRESS", "status": "RESERVED", "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME", "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/addresses/ADDRESS_NAME", "networkTier": "PREMIUM", "labelFingerprint": "LABEL_FINGERPRINT_ID", "addressType": "EXTERNAL"}
The internal IP address is the value that's associated with theaddress field.

Alternatively, retrieve the internal IP address of the Private Service Connectendpoint using the service attachment of the Cloud SQL instance.

gcloud

To retrieve the IP address, use thegcloud compute forwarding-rules list command:

gcloudcomputeforwarding-ruleslist\--filter="TARGET:REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME"\--project=PROJECT_ID

Make the following replacements:

REGION_NAME: the region name for the endpoint
PROJECT_ID: the ID orproject number of the Google Cloud project that contains the endpoint
SERVICE_ATTACHMENT_NAME: the name of the service attachment for the Cloud SQL instance

In the response, verify that an IP address appears. This is the internal IP address.

The following is a sample response:

`NAME`	`REGION`	`IP_ADDRESS`	`TARGET`
`myInstance`	`us-central1`	`10.10.10.10`	`us-central1/serviceAttachments/a-123456789e0a-psc-service-attachment-abc123d4e5f67gh8`

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the endpoint
REGION_NAME: the region name for the endpoint
SERVICE_ATTACHMENT_PROJECT_ID: the ID or project number of the Google Cloud project that contains the service attachment
SERVICE_ATTACHMENT_NAME: the name of the service attachment for the Cloud SQL instance

HTTP method and URL:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules?target="https://www.googleapis.com/compute/v1/projects/SERVICE_ATTACHMENT_PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME"

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules?target="https://www.googleapis.com/compute/v1/projects/SERVICE_ATTACHMENT_PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME""

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules?target="https://www.googleapis.com/compute/v1/projects/SERVICE_ATTACHMENT_PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME"" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "compute#forwardingRuleList",  "id": "projects/PROJECT_ID/regions/REGION_NAME/forwardingRules",  "items": [    {      "kind": "compute#forwardingRule",      "id": "FORWARDING_RULE_ID",      "creationTimestamp": "2023-10-31T13:04:37.168-07:00",      "name": "FORWARDING_RULE_NAME",      "region": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME","IPAddress": "IP_ADDRESS",      "target": "https://www.googleapis.com/compute/v1/projects/SERVICE_ATTACHMENT_PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",      "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules/FORWARDING_RULE_NAME",      "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME",      "serviceDirectoryRegistrations": [        {          "namespace": "goog-psc-default"        }      ],      "networkTier": "PREMIUM",      "labelFingerprint": "LABEL_FINGERPRINT_ID",      "fingerprint": "FINGERPRINT_ID",      "pscConnectionId": "PSC_CONNECTION_ID",      "pscConnectionStatus": "CLOSED",      "allowPscGlobalAccess": true    }  ],  "selfLink": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/forwardingRules"}

The internal IP address is the value that's associated with theIPAddress field.

To connect to the Cloud SQL instance, use the internal IP address.
```
psql"sslmode=disable dbname=DATABASE_NAME user=USERNAME hostaddr=IP_ADDRESS"
```
Make the following replacements:
- DATABASE_NAME: the name of the Cloud SQL for PostgreSQL database that's contained within the instance
- USERNAME: the name of the user that's connecting to the instance
- IP_ADDRESS: the endpoint's IP address

Connect using the Cloud SQL Auth Proxy

TheCloud SQL Auth Proxy is a connector that provides secure access to an instance with Private Service Connect enabled without a need for authorized networks or for configuring SSL.

To allow Cloud SQL Auth Proxy client connections, set up aDNS record which matches the recommendedDNS name that's provided for the instance. The DNS record is a mapping between a DNS resource and a domain name.

If you're connecting through Private Service Connect, then Cloud SQL Auth Proxyversionv2.5.0or later is required.

Download and install the Cloud SQL Auth Proxy

To connect to instances with Private Service Connect enabled, you mustdownload and install the binary for the Cloud SQL Auth Proxy. The binary that you download depends on the operating system, and whether it uses a 32-bit or 64-bit kernel. Most newer hardware uses a 64-bit kernel.

If you're unsure whether your machine is running a 32-bit or 64-bit kernel, then use theuname -a command for Linux or macOS. For Windows, see theWindows documentation.

Start the Cloud SQL Auth Proxy

The Cloud SQL Auth Proxy supports connections to instances with Private Service Connect enabled. For more information, seeStart the Cloud SQL Auth Proxy.

View summary information about a Cloud SQL instance, including the connection name of the instance.
gcloud
To view summary information about a Cloud SQL instance, use the
gcloud sql instances describe command.
```
gcloudsqlinstancesdescribeINSTANCE_NAME\--project=PROJECT_ID\--format='value(connectionName)'
```
Make the following replacements:
- INSTANCE_NAME: the name of the Cloud SQL instance
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance
The connection name is in the format ofPROJECT_ID:REGION_NAME:INSTANCE_NAME.
REST
Before using any of the request data, make the following replacements:
- PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance
- INSTANCE_NAME: the name of the instance
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ ... "connectionName": "PROJECT_ID:REGION_NAME:INSTANCE_NAME"}
The connection name is in the format ofPROJECT_ID:REGION_NAME:INSTANCE_NAME.
Copy the instance connection name.
Launch the Cloud SQL Auth Proxy:
```
./cloud-sql-proxyINSTANCE_CONNECTION_NAME--psc
```
ReplaceINSTANCE_CONNECTION_NAME with the instance connection name that you copied in the previous step.
Note: Use thepsc flag to start the Cloud SQL Auth Proxy to connect to instances with Private Service Connect enabled.

Connect using the Cloud SQL Language Connectors

The Cloud SQL Language Connectors arelibraries that provide secure access to a Cloud SQL instance withPrivate Service Connect enabled without a need for authorized networksor for configuring SSL.

To allow connections with Cloud SQL Language Connectors, set up aDNS recordwhich matches the recommendedDNS name that's provided for theinstance. The DNS record is a mapping between a DNS resource and a domain name.

The Cloud SQL Language Connectors support Private Service Connect connectionsthrough thePSC IP type within their respective libraries.

Connect from App Engine Standard, Cloud Run, or Cloud Run functions

To connect to Cloud SQL instances with Private Service Connect enabled, you can useApp Engine Standard orCloud Run.

In these supported serverless environments, both theCloud SQL Language Connectors and direct TCP connections by using an IP address and port number are supported. For direct TCP connections, this is the IP address that you reserve when youcreate the Private Service Connect endpoint. You can specify the IP address as the address for the database host.

If youcreate a DNS record for the endpoint, then you can specify this record for the host.

Connect from BigQuery

To access data in Cloud SQL and make queries against thisdata over an internal IP connection, use the
--enable-google-private-path parameter . This parameter is valid only if:

You use the--no-assign-ip parameter.
You use the--network parameter to specify the name of theVPC network that you want to use to create an internal connection.

Test connectivity

To test inbound connectivity to a Cloud SQL instance with Private Service Connect enabled, set the IP address of the Private Service Connect endpoint to be the destination IP address.

gcloud

To create a connectivity test for a Cloud SQL instance with Private Service Connect enabled, use thegcloud network-management connectivity-tests create command:

gcloudnetwork-managementconnectivity-testscreateCONNECTIVITY_TEST_NAME\--source-instance=SOURCE_INSTANCE\--destination-cloud-sql-instance=DESTINATION_CLOUD_SQL_INSTANCE\--destination-network=DESTINATION_NETWORK\--destination-port=DESTINATION_PORT\--protocol=tcp

Make the following replacements:

CONNECTIVITY_TEST_NAME: the name of the connectivity test.
SOURCE_INSTANCE: the URI for the Compute Engine instance where the source IP address is located (for example,projects/myproject/zones/myzone/instances/myinstance).
DESTINATION_CLOUD_SQL_INSTANCE: the URL for the Cloud SQL instance (for example,projects/myproject/instances/myinstance).
DESTINATION_NETWORK: the URI for the VPC network where the destination IP address is located (for example,projects/myproject/global/networks/mynetwork).
DESTINATION_PORT: the port number reserved for the instance. For Cloud SQL for PostgreSQL instances, the port number is5432.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance.
CONNECTIVITY_TEST_NAME: the name of the connectivity test.
SOURCE_IP_ADDRESS: the IP address of the source Compute Engine instance.
SOURCE_INSTANCE: the URI for the Compute Engine instance where the source IP address is located (for example,projects/myproject/zones/myzone/instances/myinstance).
SOURCE_NETWORK: the URI for the VPC network where the source IP address is located (for example,projects/myproject/global/networks/mynetwork).
DESTINATION_IP_ADDRESS: the IP address of the destination Cloud SQL instance.
DESTINATION_PORT: the port number reserved for the instance. For Cloud SQL for PostgreSQL instances, the port number is5432.
DESTINATION_NETWORK: the URI for the VPC network where the destination IP address is located (for example,projects/myproject/global/networks/mynetwork).

HTTP method and URL:

POST https://networkmanagement.googleapis.com/v1beta/projects/PROJECT_ID/locations/global/connectivityTests?testId=CONNECTIVITY_TEST_NAME

Request JSON body:

{  "source": {    "ipAddress": "SOURCE_IP_ADDRESS",    "instance": "SOURCE_INSTANCE",    "network": "SOURCE_NETWORK"  },  "destination": {    "ipAddress": "DESTINATION_IP_ADDRESS",    "port":DESTINATION_PORT,    "network": "DESTINATION_NETWORK",    "projectId": "PROJECT_ID"  },  "protocol": "TCP"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://networkmanagement.googleapis.com/v1beta/projects/PROJECT_ID/locations/global/connectivityTests?testId=CONNECTIVITY_TEST_NAME"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://networkmanagement.googleapis.com/v1beta/projects/PROJECT_ID/locations/global/connectivityTests?testId=CONNECTIVITY_TEST_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "name": "projects/PROJECT_ID/locations/global/operations/operation-OPERATION_ID",  "metadata": {    "@type": "type.googleapis.com/google.cloud.networkmanagement.v1.OperationMetadata",    "createTime": "2024-05-23T16:43:49.313981473Z",    "target": "projects/PROJECT_ID/locations/global/connectivityTests/CONNECTIVITY_TEST_NAME",    "verb": "create",    "cancelRequested": false,    "apiVersion": "v1"  },  "done": false}

Note:In addition to testing connectivity, you can restrict connectivity to Private Service Connect endpoints from service consumers in a VPC network. To do this, use the gcloud compute firewall-rules create command to create a network egress firewall rule. This rule applies to the IP address of an endpoint. For the rule, define the source to be all VMs in the VPC network and specify a tag or service account.

Limitations

You can set up to 20 Private Service Connect endpoints that connect to the service attachment of a Cloud SQL instance with Private Service Connect enabled.
You can have up to64,512 concurrent connections with Private Service Connect to a Cloud SQL instance.
The followingflags are invalidated or impacted:
- --no-assign-ip: use this flag because instances with Private Service Connect enabled aren't supported to use other connectivity types such as external IP connections
- --authorized-networks: you can't use this flag to addauthorized networks
- --network: you can't use this flag because it's associated withprivate services access
- --allocated-ip-range-name: you can't use this flag because allowed IP range names aren't supported
You can't create anexternal replica of an instance with Private Service Connect enabled.
You can't configure an instance that has Private Service Connect enabled to use private services access or external IP connections.
- You can't enable external IP connections on an instance with Private Service Connect enabled.
- You can't enable private services access or add authorized networks to the instance.
- You can't change theconnectivity type of the instance.
You can't use thegcloud sql connect command, Cloud Shell, Cloud Build, or Datastream to connect to Cloud SQL instances with Private Service Connect enabled.
If you performhomogeneous migrations to Cloud SQL, then you can't use Database Migration Service to connect to Cloud SQL instances with Private Service Connect enabled.
Whentesting connectivity to a Cloud SQL instance with Private Service Connect enabled, you can't set the following items:
- The instance's internal IP address or DNS name as the destination directly
- The instance as the source
- The IP address of the Private Service Connect endpoint as the source
IP-based allowlisting by using authorized networks isn't supported.
Thepglogical,pl/proxy,dblink, andpostgres_fdwextensions aren't supported.
Client IP-based control, logging, and metrics aren't supported for Query and System insights. However, VPN and Interconnect are supported.
If your network project contains instances that use the oldCloud SQL network architecture, then you can't create aPrivate Service Connect instance. Cloud SQL provides toolsto help you upgrade your instances from the old network architecture to thenew network architecture. For more information or to check the networkarchitecture of the Cloud SQL instances in your project and performany necessary upgrades, seeUpgrade an instance to the new network architecture.

Troubleshoot

This section contains information about issues associated with Cloud SQL instances with Private Service Connect enabled along with steps for troubleshooting the issues.

Issue	Troubleshooting
The service attachment of the instance doesn't accept the Private Service Connect endpoint.	Check the endpoint's status. gcloud To check the status, use the `gcloud compute forwarding-rules describe` command. gcloudcomputeforwarding-rulesdescribe`ENDPOINT_NAME`\--project=`PROJECT_ID`\--region=`REGION_NAME`\\|greppscConnectionStatus Make the following replacements: `ENDPOINT_NAME`: the name of the endpoint `PROJECT_ID`: the ID orproject number of the Google Cloud project that contains the endpoint `REGION_NAME`: the region name for the endpoint REST Before using any of the request data, make the following replacements: `PROJECT_ID`: the ID orproject number of the Google Cloud project that contains the Private Service Connect endpoint `REGION_NAME`: the name of the region `ENDPOINT_NAME`: the name of the endpoint HTTP method and URL: GET https://compute.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`/forwardingRules/`ENDPOINT_NAME` To send your request, expand one of these options: curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the`gcloud` CLI with your user account by running `gcloud init` or`gcloud auth login` , or by usingCloud Shell, which automatically logs you into the`gcloud` CLI . You can check the currently active account by running`gcloud auth list`. Execute the following command: curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://compute.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`/forwardingRules/`ENDPOINT_NAME`" PowerShell (Windows) Note: The following command assumes that you have logged in to the`gcloud` CLI with your user account by running `gcloud init` or`gcloud auth login` . You can check the currently active account by running`gcloud auth list`. Execute the following command: $cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://compute.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`/forwardingRules/`ENDPOINT_NAME`" \| Select-Object -Expand Content You should receive a JSON response similar to the following: { "kind": "compute#forwardingRule", "id": "`ENDPOINT_ID`", "creationTimestamp": "2024-05-09T12:03:21.383-07:00", "name": "`ENDPOINT_NAME`", "region": "https://www.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`", "IPAddress": "`IP_ADDRESS`", "target": "https://www.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`/serviceAttachments/`SERVICE_ATTACHMENT_NAME`", "selfLink": "https://www.googleapis.com/compute/v1/projects/`PROJECT_ID`/regions/`REGION_NAME`/forwardingRules/`ENDPOINT_NAME`", "network": "https://www.googleapis.com/compute/v1/projects/`PROJECT_ID`/global/networks/default", "serviceDirectoryRegistrations": [ { "namespace": "goog-psc-default" } ], "networkTier": "PREMIUM", "labelFingerprint": "`LABEL_FINGERPRINT_ID`", "fingerprint": "`FINGERPRINT_ID`", "pscConnectionId": "`CONNECTION_ID`","pscConnectionStatus": "ACCEPTED", "allowPscGlobalAccess": true} Verify that the status of the endpoint is`ACCEPTED`. If the status is`PENDING`, then the instance isn't allowing the Google Cloud project that contains the endpoint. Make sure that the network project in which the endpoint is created is allowed. For more information, seeEdit an instance with Private Service Connect enabled.
`ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource: The resource 'projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME' was not found`	This error message can occur when reserving a static internal IP address for the Private Service Connect endpoint. Make sure the subnet specified exists in the project specified by the URI. If you want to create an endpoint in a service project but use a subnet from a Shared VPC network, you need to specify the subnet by its URI and use the host project's project ID in the URI. For more information, seeCreate the endpoint manually.
`ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource: - The resource 'projects/PROJECT_ID/global/networks/NETWORK_NAME' was not found`	This error message can occur when you create a Private Service Connect endpoint manually. Make sure the network specified exists in the project specified by the URI. If you want to create an endpoint in a service project but use a Shared VPC network, you need to specify the network by its URI and use the host project's project ID in the URI. For more information, seeCreate the endpoint manually.

What's next

Learn more aboutprivate IP.
Learn more aboutPrivate Service Connect.
Learn more aboutcreating a read replica of an instance with Private Service Connect enabled.
Learn more aboutcloning an instance with Private Service Connect enabled.
Learn more aboutviewing summary information about instances with Private Service Connect enabled.
Learn more aboutsetting andremoving high availability for an instance with Private Service Connect enabled.
Learn more aboutediting anddeleting an instance with Private Service Connect enabled.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-16 UTC.

Movatterモバイル変換

Connect to an instance using Private Service Connect Stay organized with collections Save and categorize content based on your preferences.

Before you begin

User roles

Create a Private Service Connect endpoint

Create the endpoint automatically

Create a service connection policy

Console

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Create a Cloud SQL instance

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Retrieve the endpoint

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Create the endpoint manually

Create a Cloud SQL instance

gcloud

Terraform

Prepare Cloud Shell

Prepare the directory

Apply the changes

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Get the service attachment

gcloud

Terraform

Prepare Cloud Shell

Prepare the directory

Apply the changes

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Create a Private Service Connect endpoint

gcloud

Terraform

Prepare Cloud Shell

Prepare the directory

Apply the changes

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Connect to a Cloud SQL instance

Configure a DNS managed zone and a DNS record

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Connect directly using a DNS record

Connect directly through an internal IP address

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Connect using the Cloud SQL Auth Proxy

Download and install the Cloud SQL Auth Proxy

Start the Cloud SQL Auth Proxy

gcloud

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Connect using the Cloud SQL Language Connectors

Connect to an instance using Private Service Connect