Connect to a Cloud SQL for PostgreSQL instance with private IP

MySQL  |  PostgreSQL  |  SQL Server

This page shows you how to create and connect to a PostgreSQLinstance using a private IP. The resources created in this quickstarttypically cost less than a dollar, assuming you complete the steps, includingthe clean up, in a timely manner.

To follow step-by-step guidance for this task directly in the Google Cloud console, clickGuide me:

Guide me

Before you begin

Note:The name you use for your project must be between 4 and 30 characters. When youtype the name, the form suggests a project ID, which you can edit. Theproject ID must be between 6 and 30 characters, with a lowercase letteras the first character. You can use a dash, lowercase letter, or digit for theremaining characters, but the last character cannot be a dash.
  1. Enable the necessary Google Cloud APIs.

    Console

    In the Google Cloud console, go to theAPIs page.

    Go to APIs

    Enable the Cloud SQL Admin API. By enabling this API, you can run the Cloud SQL Auth Proxy.

    gcloud

    Click the following button to open Cloud Shell, which provides command-line access to your Google Cloud resources directly from the browser. Cloud Shell can be used to run thegcloud commands presented throughout this quickstart.

    Open Cloud Shell

    Run thegcloud services enable command as follows using Cloud Shell to enable the APIs required for this quickstart.:

    gcloudservicesenablesqladmin.googleapis.com

    This command enables the following APIs:

    • Cloud SQL Admin API. By enabling this API, you can run the Cloud SQL Auth Proxy.

Overview

There are many ways to connect to a Cloud SQL instance with a private IPaddress, depending on where the source is located. The key factor is that thesource machine must be in the same VPC network as theCloud SQL instance. If the source is not in Google Cloud or not inthe same Google Cloud project, then you have toconfigure connectivity differentlythan we show here.

In this quickstart, we configure connectivity through the most direct path. Thesource and target are in the same Google Cloud project and in the sameVPC network. We create a Cloud SQL instance with a privateIP address (the target) and a Compute Engine VM (the source). We use theVM to install and use the tools required to connect from the VM to theCloud SQL instance.

Perform the following actions:

  1. Create a Cloud SQL instance with a privateIP address.

    Find and save the instance'sconnection name for later use.

  2. Create a Compute Engine VM.
  3. Open two SSH connections to the Compute Engine VM.

    You'll use the first window to install the psql and install andstart the Cloud SQL Auth Proxy. Then you'll use the second window to connect to theCloud SQL instance by connecting to the Cloud SQL Auth Proxy.

  4. In SSH window #1, do the following:
    1. Install the psql client.
    2. Install the Cloud SQL Auth Proxy.

      The Cloud SQL Auth Proxy acts as a connector between the psql client andthe Cloud SQL instance.

    3. Start the Cloud SQL Auth Proxy.

      On success, the Cloud SQL Auth Proxy listens for connection requests.

  5. In SSH window #2,connect to the Cloud SQLinstance by having the psql client connect tothe Cloud SQL Auth Proxy.

    On success, you see your psql prompt in this window, and asuccessful connection message in SSH window #1, where the Cloud SQL Auth Proxy isrunning.

  6. Clean up.

Create a Cloud SQL instance with a private IP address

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. ClickCreate Instance.
  3. ClickChoose PostgreSQL.
  4. If you're prompted to enable theCompute API, click theEnable API button.
  5. In theInstance info section, enter a name for theInstance ID.
  6. Enter a password for the postgres user. Take note of the password you create, because you need it later.
  7. In theChoose region and zonal availability section, select theSingle zone option.
  8. ExpandShow configuration options.
  9. ExpandConnections.
  10. ClearPublic IP.
  11. SelectPrivate IP.
  12. From theNetwork dropdown, selectdefault.
  13. If you're using a new project, you're prompted by the message:Private service connection required. Then follow these steps:
    1. ClickSet up connection.
    2. ClickEnable service networking API.
    3. In theAllocate an IP range section, selectUse an automatically allocated IP range.
    4. ClickContinue.
    5. ClickCreate connection and wait for connection creation to complete.

  14. ClickCreate instance.

You're taken to the instance Overview page. Click into the new instanceview the details including its private IP address.

In theConnect to this instance section, copy and save the instance'sConnection name. Theconnection name is in the formatprojectID:region:instanceID.

You'll use thisconnection name later when starting the Cloud SQL Auth Proxy.

Create a database

Return to the instance Overview page and select theDatabases menu item.

  • SelectCreate database.
  • Enter aDB_NAME in theDatabase name field.
  • ClickCreate.

You'll use thisdb_name later when connecting using the Cloud SQL Auth Proxy.

Create a Compute Engine VM

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. ClickCreate instance.
  3. Enter aName for the instance.
  4. InAccess scopes, selectAllow full access to all Cloud APIs.
  5. ClickCreate and wait for the VM to finish being created.

Open two SSH connections to the Compute Engine VM

We use two windows in the VM. The first window is used to install thepsql client and the Cloud SQL Auth Proxy, get the instance connection name, anduse this name to start the proxy. The second window is used to connect to theCloud SQL instance through the proxy.

  1. Expand theSSH menu in theConnect column for your Compute Engine VM instance.
  2. SelectOpen in browser window to open SSH window #1.

    It might take a few seconds for the prompt in the window to become available for you.

  3. When the prompt appears, enterpwd to verify that you're in the/home/$USER directory.

    You'll install the psql client and the Cloud SQL Auth Proxy, and also start the Cloud SQL Auth Proxy, in this window.

  4. SelectOpen in browser window again to open SSH window #2.

    You'll use this window to connect to your Cloud SQL instance.

Install the psql client

Use SSH window #1 for this step.

Install the psql client from the package manager:

sudoapt-getupdatesudoapt-getinstallpostgresql-client

Install the Cloud SQL Auth Proxy

Use SSH window #1 for this step.

  1. Installwget:
    sudoapt-getinstallwget
  2. Download the Cloud SQL Auth Proxy:
    wgethttps://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.8.2/cloud-sql-proxy.linux.amd64\-Ocloud-sql-proxy
  3. Make the Cloud SQL Auth Proxy executable:
    chmod+xcloud-sql-proxy

Start the Cloud SQL Auth Proxy

Use SSH window #1 for this step.

Start the Cloud SQL Auth Proxy so you can monitor its output. ReplaceINSTANCE_CONNECTION_NAME with theconnection name you copiedwhen you created the Cloud SQL instance.

./cloud-sql-proxy--private-ipINSTANCE_CONNECTION_NAME

Note: By default, the Cloud SQL Auth Proxy attempts to connectto your Cloud SQL instance using a public IPv4 address. If the instance has only private IP or the instance has both public and private IP configured, and you want the Cloud SQL Auth Proxy to use the private IP address, you must provide the--private-ip option when you start the Cloud SQL Auth Proxy.

If you see an error that the address isalready in use, it means that a local instance of the database is running, andyou need to stop it. Find theSERVICE_NAME by running the commandps -ef | grep psql and then run the command:

sudoserviceSERVICE_NAMEstop

When the Cloud SQL Auth Proxy starts successfully, a message similar to the followingappears in the SSH window:

Listening on 127.0.0.1:5432 formyInstanceReady for new connections

Connect to your Cloud SQL instance

Use SSH window #2 for this step.

Run the following command after replacingDB_NAME with thename of the Cloud SQL database:

psql"host=127.0.0.1 port=5432 sslmode=disable dbname=DB_NAME user=postgres"

At the Enter password: prompt, enter the password of your PostgreSQL account.

Verify that the PostgreSQL prompt appears. You have connected to your databaseusing the psql client.

Return to the terminal window where you started the Cloud SQL Auth Proxy. Youshould see a message similar to the following:

New connection formyInstance

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Select themyinstance instance to open theInstance details page.
  3. In the icon bar at the top of the page, clickDelete.
  4. In theDelete instance window, type your instance's name and then clickDelete.

Optional cleanup steps

If you're not using the APIs that were enabled as part of this quickstart, youcan disable them.

  • APIs that were enabled within this quickstart:
    • Cloud SQL Admin API

  1. In the Google Cloud console, go to theAPIs page.

    Go to APIs

  2. Select the Cloud SQL Admin API and then click theDisable API button.

  3. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  4. Select your instance's name.

  5. SelectDelete from theMore actions menu.

What's next

Based on your needs, you can learn more aboutcreating Cloud SQL instances.

You also can learn about creatingPostgreSQL users anddatabases for your Cloud SQL instance.

Additionally, you can learn about connecting to a Cloud SQL instance fromother Google Cloud applications:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.