Connect your instance to multiple VPCs

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to connect to your Cloud SQL instance acrosstransitively peered VPCs.

Cloud SQL offers the following ways to connect your Cloud SQL instanceto multiple VPCs using private IP:

Connect using custom advertised routes

You can useCloud Routerto configure custom advertised routes between two networks that go through anintermediate VPC to connect multiple VPCs to your Cloud SQL instance.The two VPCs must be connected using avirtual private network (VPN), Cloud Interconnect , or any otherCloud Router supportednetwork.

Custom route advertisements.

With custom advertised routes, your Cloud SQL VPC,VPC C,is connected to your main VPC,VPC A, using an intermediate VPC,VPC B.You can configure shared routes between these networks in the following ways:

  • You can use Cloud Router to manually advertise routes between twonetworks that go through an intermediate VPC. For more information onhow to configure Cloud Router to manually advertise routes,seeTransit network.

  • You can create twoHA VPN gatewaysthat connect to each other to bridge the two different VPCs and configureCloud Router to share routes between them. For more information on how toset up HA VPN gateways, seeCreate HA VPN gateways to connect VPC networks.

We recommend using custom advertised routes to connect multiple VPCsto your Cloud SQL instance usingCloud Router.

Connect using an intermediate proxy (SOCKS5)

You can set up an intermediate proxy, such as SOCKS5 proxy,on an intermediate VPC along with theCloud SQL Auth Proxyin your main VPC between the client and your Cloud SQL instance. Thisenables the intermediate node to forward encrypted traffic from theCloud SQL Auth Proxy to the Cloud SQL instance.

Connecting using an intermediate proxy.

To use an intermediary proxy to connect to your Cloud SQL instance from multiple VPCs, follow these steps:

  1. On your external client,installgcloud CLI.

  2. On the intermediary VM, install, configure, and run a SOCKS server. Oneexample of this server isDante, apopular open source solution.

  3. Configure the server to bind to the VM'sens4 network interfacefor both external and internal connections. For internal connections, specify anyport.

  4. Configure your VPC's firewall to allow TCPtraffic from the appropriate IP address or range tothe SOCKS server's configured port.

  5. On your external client,download and install the Cloud SQL Auth Proxy.

  6. On your external client,start the Cloud SQL Auth Proxy.

    Because you configured your instance to use an internal IP address, when you start the Cloud SQL Auth Proxy, you must provide the--private-ip option.

    Also, set theALL_PROXY environment variable to the intermediary VM's IP address and specify the port that the SOCKS server uses. For example,ALL_PROXY=socks5://VM_IP_ADDRESS:SOCKS_SERVER_PORT.

    Note: The default port for the SOCKS server is1080.

    If you're connecting from apeered VPC, then use the intermediary VM's internal IP address;otherwise, use its external IP address.

  7. On your external client, test your connection usingpsql.

Connect using the Cloud SQL Auth Proxy as a service

You can install and run the Cloud SQL Auth Proxy on your intermediate VPC insteadof your external client and enable secure connections by pairing it with aprotocol-aware proxy, also known as a connection pooler. Examples of connection poolers includePGbouncer, orPgpool-II(PostgreSQL only).

This connection method allows your applications to securely connect directly to the poolerusing a configured SSL. The pooler passes databases queries to your Cloud SQL instanceusing the Cloud SQL Auth Proxy.

Note: You'll need to set up your own secure connection. These connectionsaren't secured by Cloud SQL.

Connect using Private Service Connect

Private Service Connectallows you to connect to multiple VPC networks across different projectsor organizations. You can use Private Service Connect to connectto either a primary instance or any of its read replicas. For moreinformation about Private Service Connect, seePrivate Service Connect overview.

To connect across multiple VPCs using Private Service Connect,seeConnect to an instance using Private Service Connect.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.