Console

1. In the Google Cloud console, go to theCloud SQL Instances page.

   Go to Cloud SQL Instances

2. ClickCreate instance.
3. ClickChoose PostgreSQL.
4. Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
5. In theInstance ID field, enterquickstart-instance.
6. In thePassword field, enter a password for the postgres user. Save this password for future use.
7. In theChoose region and zonal availability section, selectSingle zone.
8. Click theShow configuration options menu.
9. Expand theMachine configuration node.
10. From theMachine shapes region, select the4 vCPU, 32 GB shape.
11. ClickCreate instance and then wait until the instance initializes and starts.

gcloud

Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

• --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
• --cpu: The number of cores desired in the machine.
• --memory: Whole number value indicating how much memory is desired in the machine. A size unit should be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
• --region: Regional location of the instance (for example asia-east1, us-east1). If left unspecified, the defaultus-central is used.

Run thegcloud sql instances create command to create a Cloud SQL instance.

gcloudsqlinstancescreatequickstart-instance\--database-version=POSTGRES_14\--cpu=1\--memory=4GB\--region=us-central\--root-password=DB_ROOT_PASSWORD

Console

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

1. In the Google Cloud console, go to theVPC networks page.

   Go to VPC networks

2. Select thedefault VPC network.
3. Select thePrivate service connection tab.
4. Select theAllocated IP ranges for services tab.
5. ClickAllocate IP range.
6. For theName of the allocated range, specifygoogle-managed-services-default.
7. Select theAutomatic option for IP range and specify the prefix length as16.
8. ClickAllocate to create the allocated range.
9. Select thePrivate connections to services tab for thedefault VPC network.
10. ClickCreate connection to create a private connection between your network and a service producer.
11. For theAssigned allocation, selectgoogle-managed-services-default.
12. ClickConnect to create the connection.

Create an instance with private IP address and SSL enabled

1. In the Google Cloud console, go to theCloud SQL Instances page.

   Go to Cloud SQL Instances

2. ClickCreate instance.
3. ClickChoose PostgreSQL.
4. Make sure thatEnterprise Plus is selected as the Cloud SQL edition for your instance.
5. In theInstance ID field, enterquickstart-instance.
6. In thePassword field, enter a password for the postgres user. Save this password for future use.
7. In theChoose region and zonal availability section, selectSingle zone.
8. Click theShow configuration options menu.
9. Expand theMachine configuration node.
10. From theMachine shapes region, select the4 vCPU, 32 GB shape.
11. Expand theConnections node.
12. Clear thePublic IP checkbox to create an instance only with a private IP address.
13. Select thePrivate IP checkbox.
14. From theNetwork menu, selectdefault.
15. ClickCreate instance and then wait for the instance to initialize and start.
16. ClickConnections.
17. In theSecurity section, selectAllow only SSL connections to enable SSL connections.
18. In theAllow only SSL connections dialog, clickSave and then wait for the instance to restart.

gcloud

Allocate an IP address range and create a private connection to configure private services access for Cloud SQL

1. Run thegcloud compute addresses create command to allocate an IP address range.

   gcloudcomputeaddressescreategoogle-managed-services-default\--global--purpose=VPC_PEERING--prefix-length=16\--description="peering range for Google"--network=default

2. Run thegcloud services vpc-peerings connect command to create a private connection to the allocated IP address range. Replace YOUR_PROJECT_ID with your project's project ID.

   gcloudservicesvpc-peeringsconnect--service=servicenetworking.googleapis.com\--ranges=google-managed-services-default--network=default\--project=YOUR_PROJECT_ID

Create an instance with private IP address and SSL enabled

1. Before running the command as follows, replaceDB_ROOT_PASSWORD with the password of your database user.

Optionally, modify the values for the following parameters:

• --database-version: The database engine type and version. If left unspecified, the API default is used. See thegcloud database versions documentation to see the current available versions.
• --cpu: The number of cores in the machine.
• --memory: A whole number value indicating how much memory to include in the machine. A size unit can be provided (for example, 3072MB or 9GB). If no units are specified, GB is assumed.
• --region: The regional location of the instance (for example asia-east1, us-east1). If left unspecified, the defaultus-central1 is used. See the full list ofregions.

Run thegcloud sql instances create command to create a Cloud SQL instance with a Private IP address.

gcloudsqlinstancescreatequickstart-instance\--database-version=POSTGRES_14\--cpu=1\--memory=4GB\--region=us-central\--root-password=DB_ROOT_PASSWORD\--no-assign-ip\--network=default

2. Run thegcloud sql instances patch command to enableonly allow SSL connections for the instance.

gcloudsqlinstancespatchquickstart-instance--require-ssl

Go

1. In Cloud Shell Editor, open the sample app's source code.

   Open Cloud Shell Editor

2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Java

1. In Cloud Shell Editor, open the sample app's source code.

   Open Cloud Shell Editor

2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   mvncleanpackagecom.google.cloud.tools:jib-maven-plugin:2.8.0:build\-Dimage=gcr.io/YOUR_PROJECT_ID/run-sql-DskipTests

Node.js

1. In Cloud Shell Editor, open the sample app's source code.

   Open Cloud Shell Editor

2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Python

1. In Cloud Shell Editor, open the sample app's source code.

   Open Cloud Shell Editor

2. In theOpen in Cloud Shell dialog box, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Go

Create and download SSL server and client certificates

1. In the Google Cloud console, go to theCloud SQL Instances page.

   Go to Cloud SQL Instances

2. Click thequickstart-instance to see itsOverview page
3. Click theConnections tab.
4. Under theSecurity section, clickCreate client certificate.
5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

   Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

   Create Serverless VPC connector

2. Enterquickstart-connector for theName.
3. Selectdefault from theNetwork drop-down menu
4. SelectCustom IP range from theSubnet drop-down menu
5. Enter10.8.0.0 in theIP range input box
6. ClickCreate to create the connector.

Build sample app with SSL certificates

1. In Cloud Shell Editor, open the sample app's source code.
   Open Cloud Shell Editor
2. In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Upload SSL certs files tocerts folder.
   1. Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
   2. Select following files on your local machine:
   • client-key.pem
   • client-cert.pem
   • server-ca.pem
   3. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
4. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Java

Create and download SSL server and client certificates

For Java users, the connector already provides a secure connection so that creating and downloading SSL server and client certificates is unnecessary.

Create a Serverless VPC Connection for connections to the instance via Private IP

1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

   Create Serverless VPC connector

2. Enterquickstart-connector for theName.
3. Selectdefault from theNetwork drop-down menu
4. SelectCustom IP range from theSubnet drop-down menu
5. Enter10.8.0.0 in theIP range input box
6. ClickCreate to create the connector.

Build Sample App

1. In Cloud Shell Editor, open the sample app's source code.
   Open Cloud Shell Editor
2. In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   mvncleanpackagecom.google.cloud.tools:jib-maven-plugin:2.8.0:build\-Dimage=gcr.io/YOUR_PROJECT_ID/run-sql-DskipTests

Node.js

Create and download SSL server and client certificates

1. In the Google Cloud console, go to theCloud SQL Instances page.

   Go to Cloud SQL Instances

2. Click thequickstart-instance to see itsOverview page
3. Click theConnections tab.
4. Under theSecurity section, clickCreate client certificate.
5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

   Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

   Create Serverless VPC connector

2. Enterquickstart-connector for theName.
3. Selectdefault from theNetwork drop-down menu
4. SelectCustom IP range from theSubnet drop-down menu
5. Enter10.8.0.0 in theIP range input box
6. ClickCreate to create the connector.

Build sample app with SSL certificates

1. In Cloud Shell Editor, open the sample app's source code.
   Open Cloud Shell Editor
2. In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Upload SSL certs files tocerts folder.
   1. Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
   2. Select following files on your local machine:
   • client-key.pem
   • client-cert.pem
   • server-ca.pem
   3. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
4. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Python

Create and download SSL server and client certificates

1. In the Google Cloud console, go to theCloud SQL Instances page.

   Go to Cloud SQL Instances

2. Click thequickstart-instance to see itsOverview page
3. Click theConnections tab.
4. Under theSecurity section, clickCreate client certificate.
5. In theCreate a client certificate dialog, enterquickstart-key as the name and clickCreate.

6. In theNew SSL certificate created dialog, click each download link to download the certificates. Then, clickClose.

   Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

Create a Serverless VPC Connection for connections to the instance via Private IP

1. In the Google Cloud console, go to theServerless VPC access -Create connector page.

   Create Serverless VPC connector

2. Enterquickstart-connector for theName.
3. Selectdefault from theNetwork drop-down menu
4. SelectCustom IP range from theSubnet drop-down menu
5. Enter10.8.0.0 in theIP range input box
6. ClickCreate to create the connector.

Build sample app with SSL certificates

1. In Cloud Shell Editor, open the sample app's source code.
   Open Cloud Shell Editor
2. In theOpen in Cloud Shell dialog, clickConfirm to download the sample app code and open the sample app directory in Cloud Shell Editor.
3. Upload SSL certs files tocerts folder.
   1. Right-clickcerts folder in Cloud Shell Editor and selectUpload Files
   2. Select following files on your local machine:
   • client-key.pem
   • client-cert.pem
   • server-ca.pem
   3. With the three SSL certificate files selected, clickOpen to complete the process of uploading the files to Cloud Shell Editor.
4. Run the following command in Cloud Shell to build a Docker container and publish it to Container Registry. ReplaceYOUR_PROJECT_ID with your project's project id.

   gcloudbuildssubmit--taggcr.io/YOUR_PROJECT_ID/run-sql

Console

1. In the Google Cloud console, go to theCloud Run page.

   Go to Cloud Run

2. ClickCreate container and selectService to display theCreate service form.

3. Click theSelect button in theContainer image URL input field.
1. Select thegcr.io/YOUR_PROJECT_ID/run-sql container image you created in the previous step.
4. In theService name field, enterquickstart-service.
5. In theAuthentication section, select theAllow unauthenticated invocations option. If you don't have permissions (Cloud Run Admin role) to select this, the service will deploy and require authentication.
6. Expand theContainer, Variables & Secrets, Connections, Security section.
7. Create the followingEnvironment variables by clickingAdd Variable underEnvironment variables. Set the values for the environment variables, as follows:
• INSTANCE_UNIX_SOCKET: Set to/cloudsql/YOUR_PROJECT_ID:us-central1:quickstart-instance.
• INSTANCE_CONNECTION_NAME: Set to your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.
• DB_NAME: Set toquickstart-db
• DB_USER: Set toquickstart-user
• DB_PASS: Set to the password of thequickstart-user that you created in the previousCreate a user quickstart step.

8. Enable connecting to Cloud SQL:

   • Click theConnections tab.
   • Click theAdd Connection button under theCloud SQL connections section.
   • Select thequickstart-instance you previously created from the drop-down menu.

   

9. ClickCreate to create the Cloud Run service.

10. After the Cloud Run service is deployed, theService details page displays the URL of the running service at the top of the page. Click theURL link to see the deployed sample app on Cloud Run connected to Cloud SQL.

    

gcloud

1. Before running the following command, make the following replacements:

• YOUR_PROJECT_ID with your project ID.

• INSTANCE_CONNECTION_NAME with your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.

• DB_PASS with the password of thequickstart-user that you created in the previousCreate a user quickstart step.

Run thegcloud run deploy command as follows to create the Cloud Run service. Environment variables vary depending on theconnection method you want to use:

gcloudrundeployrun-sql--imagegcr.io/YOUR_PROJECT_ID/run-sql\--add-cloudsql-instancesINSTANCE_CONNECTION_NAME\--set-env-varsINSTANCE_CONNECTION_NAME="INSTANCE_CONNECTION_NAME"\--set-env-varsDB_NAME="quickstart-db"\--set-env-varsDB_USER="quickstart-user"\--set-env-varsDB_PASS="DB_PASS"

Enter the numeric choice provided forus-central1 when prompted to specify a region.

2. When you see a confirmation message that the Cloud Run service has been deployed, click theService URL link in the message to see the sample app on Cloud Run that is connected to Cloud SQL.

   

Console

1. In the Google Cloud console, go to theCloud Run page.

   Go to Cloud Run

2. ClickCreate container and selectService to display theCreate service form.

3. Retain the option to deploy from an existing container image and clickSelect to specify thegcr.io/YOUR_PROJECT_ID/run-sql container image you created in the previous step.
4. Enterquickstart-service for theService name.
5. In theAuthentication section, select theAllow unauthenticated invocations option. If you don't have permissions (Cloud Run Admin role) to select this, the service will deploy and require authentication.
6. Expand theContainer, Variables & Secrets, Connections, Security section.
7. Create the following environment variables by clickingAdd variable underEnvironment variables. Set the values for the environment variables, as follows:
• DB_NAME: Set toquickstart-db.
• DB_USER: Set toquickstart-user.
• DB_PASS: Set to the password of thequickstart-user that you specified in the previousCreate a user quickstart step.
• INSTANCE_CONNECTION_NAME: Set to your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.
• DB_PORT: Set to5432.
• DB_ROOT_CERT: Set tocerts/server-ca.pem.
• DB_CERT: Set tocerts/client-cert.pem.
• DB_KEY: Set tocerts/client-key.pem.
• PRIVATE_IP: Set toTRUE.

8. Enable connecting to Cloud SQL:

   1. ClickConnections.
   2. ClickAdd Connection in theCloud SQL connections section.
   3. Select thequickstart-instance Cloud SQL instance that you previously created.
   4. Selectdefault: Serverless VPC Access Connector "quickstart-connector" from theVPC Network drop-down menu.
   5. Select the optionRoute all traffic through the VPC connector.

9. ClickCreate to create the Cloud Run service.

10. After the Cloud Run service is deployed, theService details page displays the URL of the running service at the top of the page. Click theURL link to see the deployed sample app on Cloud Run connected to Cloud SQL.

    

gcloud

1. Before running the following command, make the following replacements:

• YOUR_PROJECT_ID with your project ID.
• INSTANCE_CONNECTION_NAME with your instance'sConnection name that appears on theCloud SQL instances page in the Google Cloud console.
• DB_PASS with the password of thequickstart-user that you created in the previousCreate a user quickstart step.

Run thegcloud run deploy command as follows to create the Cloud Run service. Environment variables vary depending on theconnection method you want to use:

gcloudrundeployrun-sql--imagegcr.io/YOUR_PROJECT_ID/run-sql\--add-cloudsql-instancesINSTANCE_CONNECTION_NAME\--vpc-connector="quickstart-connector"--vpc-egress=all-traffic\--set-env-varsDB_NAME="quickstart-db"\--set-env-varsDB_USER="quickstart-user"\--set-env-varsDB_PASS="DB_PASS"\--set-env-varsINSTANCE_CONNECTION_NAME="INSTANCE_CONNECTION_NAME"

gcloudrundeployrun-sql--imagegcr.io/YOUR_PROJECT_ID/run-sql\--add-cloudsql-instancesINSTANCE_CONNECTION_NAME\--vpc-connector="quickstart-connector"--vpc-egress=all-traffic\--set-env-varsDB_NAME="quickstart-db"\--set-env-varsDB_USER="quickstart-user"\--set-env-varsDB_PASS="DB_PASS"\--set-env-varsINSTANCE_CONNECTION_NAME="INSTANCE_CONNECTION_NAME"

Enter the numeric choice provided forus-central1 when prompted to specify a region.

2. When you see a confirmation message that the Cloud Run service has been deployed, click theService URL link in the message to see the sample app on Cloud Run that is connected to Cloud SQL.