Choose how to connect to Cloud SQL

MySQL | PostgreSQL | SQL Server

This page provides an overview of the ways in which you can connect to yourCloud SQL instance.

Before you can connect to a Cloud SQL instance, you need todecide how to deploy and configure your Cloud SQL instance andsupporting networking resources. If your Cloud SQL instance isalready configured and deployed, then this page can help you understandthe different ways that you can connect your clients to theexisting instance.

IP address type: private or public

When you first create your Cloud SQL instance,you can choose whether to configure the instance with apublic IP address,aprivate IP address, or acombination of both.

You choose the IP address configuration of your instance based on yourapplication requirements. Then after you configure your instance, youspecify either a public IP address, a private IP address, or in some cases aDNS name in your client connection string.

	Private IP address	Public IP address
Description	Internal, Virtual Private Cloud (VPC) network-only (private) IP address	An external, internet-accessible (public) IP address
Decision points	Do you need to connect from clients hosted on VPC networks inside Google Cloud or from clients that have access to those VPC networks? If yes, then choose aprivate IP address for the instance.	Do you need to connect from clients outside the Google Cloud VPC network over the public internet? If yes, then choose apublic IP address for the instance.
Configuration options	The following types of private networking configurations are supported: Private services access: connect to Cloud SQL instances from a single VPC network based on networking peering. Private Service Connect: connect to Cloud SQL instances from multiple VPC networks that belong to different groups, projects, or organizations. For more information about choosing a private networking configuration, seePrivate networking options: private services access or Private Service Connect.	When you connect directly to an instance using a public IP address, you must configureauthorized networks. Another more secure alternative for connecting to a Cloud SQL instance that uses public IP is to use aCloud SQL connector (such as the Cloud SQL Auth Proxy or one of the Cloud SQL Language Connectors). For instructions about adding a public IP to your instance, seeConfigure public IP. To connect to a Cloud SQL instance using a public IP address, you can use the`psql` client or another available client.
Summary	Recommendation: For improved security, we recommend that you configure your instance with a private IP address type unless you have specific requirements for an internet-accessible Cloud SQL instance, or if you're connecting from a client that doesn't meet the requirements for a VPC.

Connection type: Cloud SQL connector or direct

When you make the connection to a Cloud SQL instance, you can use aCloud SQL connector, or you can make a direct connection.

A Cloud SQL connector is either theCloud SQL Auth Proxy orone of theCloud SQL Language Connectors.

	Cloud SQL connector	Direct connection
Description	Cloud SQL Auth Proxy, a client-side proxy, and Cloud SQL Language Connectors, client-side libraries, provide simplified and secure access to your Cloud SQL instances, especially when you connect to an instance using a public IP address.	A direct connection from a client to a Cloud SQL instance provides a lower latency connection. A direct connection can be made from either a public or a private IP address.
Decision points	Cloud SQL connectors are beneficial in the following scenarios: When you want to connect to a Cloud SQL instance using a public IP address without having to configureauthorized networks. When you want to encrypt traffic to and from the database automatically with server and client identity verification without having to manage SSL certificates. When you're using IAM database authentication and want to refresh your OAuth 2.0 access tokens automatically. When you're connecting from a client or application that uses a dynamically assigned or ephemeral IP address. Dynamic IP configuration can be common for Platform as a Service (PaaS) applications.	Using a direct connection provides the following benefits: Lower latency compared to connections using Cloud SQL connectors. No additional package or library dependency unlike Cloud SQL connectors. When you use a direct connection, you're responsible for configuring the SSL/TLS settings.
Configuration options	Cloud SQL Auth Proxy, or Cloud SQL Language Connectors, including Cloud SQL Java connector Cloud SQL Python connector Cloud SQL Go connector Cloud SQL Node.js connector The following Google Cloud services use an embedded Cloud SQL Auth Proxy when you connect to a Cloud SQL instance over public IP address: Cloud Run App Engine flexible environment App Engine standard environment	To configure SSL/TLS certificates on the Cloud SQL instance and for your client, do the following: Choose a server CA mode for your instance. Configure your instance toenforce SSL/TLS encryption for connections on the instance. Create client certificates. Download your server and client certificates.
Summary	When you connect to a Cloud SQL instance, you can use either a Cloud SQL connector, or connect directly from clients. General recommendation: If you're connecting to an instance by aprivate IP address, use a direct connection. We also recommend that you enforce SSL and configure SSL/TLS certificates for your connection. If you're connecting to an instance by apublic IP address, use a Cloud SQL connector (either the Cloud SQL Auth Proxy or one of the Cloud SQL Language Connectors).

Database authentication type: IAM or built-in

When you connect to an instance, you must authenticate as a database user.You can choose betweenbuilt-in authenticationorIAM database authentication.

	IAM database authentication	Built-in authentication
Description	IAM database authentication lets you authenticate to databases with Google Cloud IAM user and service accounts by using short-lived access tokens instead of passwords. You can manage database privileges by using IAM principals such as users, service accounts, and groups.	Built-in authentication uses database local usernames and passwords to authenticate database users.
Decision points	Do you prefer to centralize user management across Google Cloud services using IAM in Google Cloud? If yes, then use IAM database authentication.	Do you have applications or workflows that depend on built-in database authentication? If yes, then use built-in authentication.
Configuration options	You can use IAM database authentication for individual IAM users, individual service accounts, and groups. For more information, see useManage users with IAM database authentication. If you use a Cloud SQL connector, then the connector handles the automatic refresh of the IAM access tokens. For more information, seeautomatic IAM database authentication.	You can use built-in database authentication and configure password policies at the instance and user levels. For more information, seeBuilt-in authentication.
Summary	Recommendation: Unless you have applications or workflows that depend on built-in database authentication, use IAM database authentication whenever possible.

Private networking options when using a private IP address

When you configure your instance to use a private IP address, you can choosethe following private networking options: private services access,Private Service Connect, or both.

Supported features

The following table lists the features that Cloud SQL supports whenyou connect to an instance that's configured with one or both of the privatenetworking options.

Feature	Instance with private services access only	Instance with Private Service Connect only	Instance with both private services access and Private Service Connect
Connect frommultiple VPCs	Not supported.	Supported.	Supported by using the Private Service Connect endpoint.
`pglogical`,`PL/Proxy`,`dblink`, and`postgres_fdw`extensions	Supported.	Not supported.	Supported by using outbound connectivity for private services access.
External replicas	Supported.	Not supported.	Supported by using outbound connectivity for private services access.
Write endpoint	Supported.	Not supported.	Supported for private services access.
Change theassociated VPC network for private services access	Supported.	Not applicable.	Not supported for private services access because the instance has Private Service Connect enabled for it. Not applicable for Private Service Connect.
Visibility of the client IP address to Cloud SQL	Supported.	Not supported.	Supported by using the private services access IP address. Not supported by using the Private Service Connect endpoint.

Remove networking options from an instance

Cloud SQL supports the removal of the following networking optionsfrom an instance:

Public IP from an instance with both private services access and public IP
Public IP from an instance with public IP, private services access, and Private Service Connect
Private Service Connect from an instance with both Private Service Connect and private services access
Private Service Connect from an instance with Private Service Connect, private services access, and public IP

Enable networking options for an instance

You can enable Cloud SQL supports enabling the following connection options for instances:

Private services access on an instance with public IP only
Private Service Connect on an instance with private servicesaccess only
Private Service Connect on an instance with both privateservices access and public IP
Public IP on an instance with private services access only

Limitations

You can't create an instance with both a public IP address andPrivate Service Connect.
You can't remove private services access from an instance withprivate services access and Private Service Connect.
You can't remove private services access from an instance with private servicesaccess and public IP.
If you have an instance that uses only public IP, then you can't enable bothprivate services access and Private Service Connect at the same time.First, enable private services access, and then enable Private Service Connect.
You can't use authorized networks to do IP address-based allowlisting forPrivate Service Connect instances.

Tools for connecting to Cloud SQL

The following table contains some options for connecting to Cloud SQL:

Connection option	More information
Cloud SQL Auth Proxy	About the Cloud SQL Auth Proxy Connecting using the Cloud SQL Auth Proxy Connecting using the Cloud SQL Auth Proxy Docker Image
gcloud CLI	`gcloud sql connect`
Cloud SQL language connectors	Connect using Cloud SQL Connectors for Java, Python and Go.
Cloud Shell	Connecting using the Cloud Shell
Cloud Code	Connecting using Cloud Code in JetBrains IDE

Connect using third-party database administration tools
pgAdmin	pgAdmin.org for PostgreSQL
Toad Edge	Toad Edge for PostgreSQL
Blendo	How to connect Google Cloud SQL PostgreSQL with Blendo

Troubleshoot

If you're having problems connecting, then check the following pages for helpdebugging or finding solutions to known issues:

What's next

Learn how to connect with theQuickstart for Cloud SQL for postgres.
Learn best practices formanaging database connections.
Learn aboutIAM database authentication.
Learn aboutconnecting using a psql client from a local machine or Compute Engine.
Learn aboutconfiguring IP connectivity.
Learn aboutthe Cloud SQL Auth Proxy.
Learn aboutoptions for support.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-18 UTC.

Movatterモバイル変換

Choose how to connect to Cloud SQL Stay organized with collections Save and categorize content based on your preferences.