Connect to a Cloud SQL instance from outside its VPC

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to connect to a Cloud SQLinstance from outside its configured Virtual Private Cloud (VPC).

Before you begin

Before you begin, make sure that you complete the following actions:

  1. Youcreate a Cloud SQL instance.
  2. Youconfigure your instance to use an internal IP address instead of an external IP address.

About external connections

Your Cloud SQL instance consists of a number of nodes within aGoogle-managed VPC. When you create an instance, you also configureprivate services access orPrivate Service Connectbetween one of your VPCs and the Google-managed VPC containing your newinstance. This peered connection lets you use internal IP addressesto access resources on the instance's VPC as if they're part of your own VPC.

In the following situations, connect to your instance from outside aconnected VPC:

  • Your application runs outside of the VPC that you used to connect to your instance through private services access or Private Service Connect.

  • Your application runs on a VPC that exists outside of Google's network.

  • Your application runs on a machine that's located somewhereelse on the public internet.

In all of these cases, you must configure an additional service to enablethis kind of external connection to your Cloud SQL instance.

We recommend the following solutions for making external connections,depending upon your needs:

The following sections describe these solutions.

Connect through an intermediary VM

To establish a connection to a Cloud SQL instance fromoutside its VPC using open source tools and a minimum of additionalresources, run a proxy service on an intermediary VM that's configured within thatVPC. You can configure a new VM or use a VM already running within yourCloud SQL instance's VPC.

As a self-managed solution, using an intermediary VM generally costsless and has a faster set-up time thanusing a Network Connectivityproduct. It also has downsides: the connection's availability,security, and data throughput all become dependent on the intermediaryVM, which you must maintain as part of your project.

Connect through IAP

UsingIdentity-Aware Proxy (IAP), you canconnect to your Cloud SQL instance securely without the need to expose the intermediary VM's internal IP address. You use a combination of firewallrules and Identity and Access Management (IAM) to limit access through this route.This makes IAP a good solution for non-production useslike development and prototyping.

Identity-Aware Proxy architecture

In this diagram, IAP serves as the gateway between the external client that's outside the VPC and the intermediary VM that's inthe VPC. The client creates an SSH tunnel to the IAP. The Cloud SQL Auth Proxy encrypts the traffic between the VM and the Cloud SQL instance. Through these two proxies, communication is established between the client and the instance.

To configure IAP access to your instance, follow these steps:

  1. On your external client,installgcloud CLI.

  2. On the intermediary VM,download and install the Cloud SQL Auth Proxy.

  3. On the intermediary VM,start the Cloud SQL Auth Proxy.

    Because your VM is configured with an internal IP address, when you start the Cloud SQL Auth Proxy, you must provide the--private-ip option.

  4. In your Google Cloud project,enable IAP TCP forwarding.

    When defining the new firewall rule, allow ingress TCP traffic toport22 (SSH). If you are usingyour project's defaultnetwork with itspre-populateddefault-allow-sshrule enabled, then youdon't need to define an additional rule.

  5. Configure port forwarding between your external client and theintermediary VM usingSSH through IAP:

    gcloudcomputesshVM_NAME\--tunnel-through-iap\--zone=ZONE_NAME\--ssh-flag="-L 5432:localhost:5432"

    Make the following replacements:

    • VM_NAME: the name of the VM
    • ZONE_NAME: the name of the zone that's associated with the VM

  6. On your external client, test your connection usingpsql.

Connect through a SOCKS proxy

Running a SOCKS service on the intermediary VM provides a flexible andscalable connection to your Cloud SQL instance, with end-to-end encryption provided by the Cloud SQL Auth Proxy.

For more information on using a SOCKS proxy to connect to your Cloud SQL instance, seeConnect using an intermediate proxy (SOCKS5).

Connect through a pooler

If you need to install and run the Cloud SQL Auth Proxy on the intermediary VM,instead of an external client, then you can enable secureconnections to it by pairing it with aprotocol-aware proxy, alsoknown as apooler. Popular open source poolers for PostgreSQL includePgpool-II andPgBouncer.

In this solution, you run both the Cloud SQL Auth Proxy and the pooler on theintermediary VM. Your client or application can then securelyconnect directly to the pooler over SSL, without the need to run anyadditional services. The pooler takes care of passing PostgreSQLqueries along to your Cloud SQL instance through theCloud SQL Auth Proxy.

Because every Cloud SQL instance has aseparate internal IP address, each proxy service can communicate withonly one specific instance: either the primary instance, the stand-by,or a read pool. Therefore, for every instance, you must run a separate pooler service with an appropriately configured SSL certificate.

Connect through Cloud VPN or Cloud Interconnect

For production work requiring high availability (HA), we recommend theuse of a Google CloudNetwork Connectivity product, such asCloud VPN orCloud Interconnect,depending upon your external service's needs and network topology. Youthen configureCloud Routerto advertise the appropriate routes.

To learn more about Network Connectivity solutions, seeChoosing a Network Connectivity product.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.