Edit instances

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to edit an existing Cloud SQL instance.

After you create an instance, you can edit it while it's running to changeits settings. For information about instance settings and how changing settingscan impact an instance, seeInstance Settings.

Note: This procedure restarts the instance. SeeHow long are instances shut down during restart?

Edit an instance

Most edits can be applied to an instance only when it's running.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. ClickEdit.
  4. In theCustomize your instance section, if theShow configuration options menu appears, then click it.
  5. Update any editable settings for your instance.

    Learn more aboutinstance settings.

  6. ClickSave.

gcloud

This command modifies the backup start time.

gcloudsqlinstancespatchINSTANCE_NAME\--backup-start-time16:00

This command allows other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over an internal connection.

gcloudsqlinstancespatchINSTANCE_NAME\--enable-google-private-path

This command lets you update a Cloud SQL instance so that it canintegrate with Vertex AI. By using this integration, you can apply large language models (LLMs), which are hosted in Vertex AI, to a Cloud SQL for PostgreSQL database.

gcloudsqlinstancespatchINSTANCE_NAME\--enable-google-ml-integration\--database-flagscloudsql.enable_google_ml_integration=on

If a patch modifies a value that requires a restart, then you see a promptto proceed with the change or cancel.

To learn more about instance configuration flags, seegcloud sql instances patch.

REST v1

By using this command, you can complete the following actions:

  • Modify the instance so that it canintegrate with Vertex AI. This integration lets you apply large language models (LLMs), which are hosted in Vertex AI, to a Cloud SQL for PostgreSQL database.
  • Modify the backup start time.
  • Allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over an internal connection.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the project ID
  • INSTANCE_ID: the instance ID
  • PRIVATE_NETWORK: the network that you're adding or selecting to create a private connection

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings": {    "enableGoogleMlIntegration": true,    "databaseFlags":    [      {        "name": "cloudsql.enable_google_ml_integration",        "value": "on"      }    ]    "backupConfiguration": {      "startTime": "16:00",      "enabled": true,      "binaryLogEnabled": true    }  }    "ipConfiguration": {      "privateNetwork": "PRIVATE_NETWORK",      "authorizedNetworks": [],      "ipv4Enabled": false,      "enablePrivatePathForGoogleCloudServices": true    }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If a patch modifies a value that requires a restart, you will see a prompt to proceed with the change or cancel.

To see how theunderlying REST API requestis constructed for this task, see theAPIs Explorer on the instances:patch page.

REST v1beta4

By using this command, you can complete the following actions:

  • Modify the instance so that it canintegrate with Vertex AI. This integration lets you apply large language models (LLMs), which are hosted in Vertex AI, to a Cloud SQL for PostgreSQL database.
  • Modify the backup start time.
  • Allow other Google Cloud services, such as BigQuery, to access data in Cloud SQL and make queries against this data over an internal connection.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the project ID
  • INSTANCE_ID: the instance ID
  • PRIVATE_NETWORK: the network that you're adding or selecting to create a private connection

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings": {    "enableGoogleMlIntegration": true,    "databaseFlags":    [      {        "name": "cloudsql.enable_google_ml_integration",        "value": "on"      }    ]    "backupConfiguration": {      "startTime": "16:00",      "enabled": true,      "binaryLogEnabled": true    }  }    "ipConfiguration": {      "privateNetwork": "PRIVATE_NETWORK",      "authorizedNetworks": [],      "ipv4Enabled": false,      "enablePrivatePathForGoogleCloudServices": true    }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If the patch modifies a value that requires a restart, you will see a prompt to proceed with the change or cancel.

To see how theunderlying REST API requestis constructed for this task, see theAPIs Explorer on the instances:patch page.

Edit an instance with Private Service Connect enabled

You can update an instance withPrivate Service Connect enabled by usinggcloud CLI or the API. For example, you can update projects associated with instances for the following purposes:

  • To allow connections fromPrivate Service Connect endpoints to the Cloud SQL instances.
  • To remove projects from the list ofallowed projects. For any project that's removed, connections to any existing Private Service Connect endpoints continue to work, but new endpoints aren't accepted.

Note:There are some limitations to modifying instances with Private Service Connect enabled. For more information, seeLimitations.

gcloud

To update projects that can use Private Service Connect, use thegcloud sql instances patch command:

gcloudsqlinstancespatchINSTANCE_NAME\--project=PROJECT_ID\--allowed-psc-projects=ALLOWED_PROJECTS

Make the following replacements:

  • INSTANCE_NAME: the name of the Cloud SQL instance to which Private Service Connect endpoints in VPC networks can connect.
  • PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance to which Private Service Connect endpoints in VPC networks can connect.
  • ALLOWED_PROJECTS: a list of allowed project IDs or numbers, separated by commas. These projects override projects that are already configured to use Private Service Connect. If a project isn't contained in this list, then you can't use it to create an instance and enable Private Service Connect for it.

The following example lets two projects (98765 and87654) make connections from Private Service Connect endpoints to themyinstance Cloud SQL instance that's contained in the12345 project:

gcloudsqlinstancespatchmyinstance\--project=12345\--allowed-psc-projects='98765','87654'

To remove all allowed projects, use thegcloud sql instances patch command and the
--clear-allowed-psc-projects flag:

gcloudsqlinstancespatchINSTANCE_NAME\--project=PROJECT_ID\--clear-allowed-psc-projects

This flag ensures that no projects are allowed inadvertently.

REST v1

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance to which Private Service Connect endpoints in VPC networks can connect.
  • INSTANCE_NAME: the name of the Cloud SQL instance to which Private Service Connect endpoints in VPC networks can connect.
  • ALLOWED_PROJECTS: a list of allowed project IDs or numbers, separated by commas. These projects override projects that are already configured to use Private Service Connect. If a project isn't contained in this list, then you can't use it to create an instance and enable Private Service Connect for it.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

Request JSON body:

{  "kind": "sql#instance",  "name": "INSTANCE_NAME",  "project": "PROJECT_ID",  "settings": {    "ipConfiguration": {      "pscConfig": {        "allowedConsumerProjects": [ALLOWED_PROJECTS]      }    },    "kind": "sql#settings"  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_NAME",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

To remove all allowed projects, use theclear-allowed-psc-projects flag. This flag ensures that no projects are allowed inadvertently.

To see how theunderlying REST API requestis constructed for this task, see theAPIs Explorer on the instances:patch page.

REST v1beta4

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID orproject number of the Google Cloud project that contains the instance to which Private Service Connect endpoints in VPC networks can connect.
  • INSTANCE_NAME: the name of the Cloud SQL instance to which Private Service Connect endpoints in VPC networks can connect.
  • ALLOWED_PROJECTS: a list of allowed project IDs or numbers, separated by commas. These projects override projects that are already configured to use Private Service Connect. If a project isn't contained in this list, then you can't use it to create an instance and enable Private Service Connect for it.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME

Request JSON body:

{  "kind": "sql#instance",  "name": "INSTANCE_NAME",  "project": "PROJECT_ID",  "settings": {    "ipConfiguration": {      "pscConfig": {        "allowedConsumerProjects": [ALLOWED_PROJECTS]      }    },    "kind": "sql#settings"  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_NAME",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

To remove all allowed projects, use theclear-allowed-psc-projects flag. This flag ensures that no projects are allowed inadvertently.

To see how theunderlying REST API requestis constructed for this task, see theAPIs Explorer on the instances:patch page.

Edit a custom SAN for an instance

Preview

This product is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

If you want to use a custom DNS name to connect to a Cloud SQL instance instead of using an IP address, then configure the custom subject alternative name (SAN) setting while creating the instance. The custom DNS name that you insert into the custom SAN setting is added to the SAN field of the server certificate of the instance. This lets you use the custom DNS name with hostname validation securely.

You can perform the following operations with a custom SAN for a servercertificate of an instance:

  • Add DNS names to the instance: add a comma-separated list of up to three custom DNSnames to the custom SAN setting. Cloud SQL adds these names to the SAN field of the server certificate. You can secure multiple DNS names with a single certificate.
  • Modify DNS names for the instance: change the custom DNS names that you want to addto the SAN field of the server certificate of the instance.
  • Remove DNS names from the instance: remove all custom DNS names from the SAN field of the server certificate of the instance.

You can edit a custom SAN for an instance by usinggcloud CLIor the API.

Note: This feature is available forCUSTOMER_MANAGED_CAS_CA instances only.

gcloud

To edit a custom SAN for an instance, use thegcloud beta sql instances patch command:

gcloudbetasqlinstancespatchINSTANCE_NAME\--project=PROJECT_ID\--custom-subject-alternative-names=DNS_NAMES

Make the following replacements:

To remove all DNS names from the server certificate of a Cloud SQLinstance, use thegcloud beta sql instances patch command and the
--clear-custom-subject-alternative-names flag:

gcloudbetasqlinstancespatchINSTANCE_NAME\--project=PROJECT_ID\--clear-custom-subject-alternative-names

This flag ensures that no DNS names are added to the certificate inadvertently.

REST

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID orproject number of your Google Cloud project. This project contains a Cloud SQL instance that has a server certificate to which you're adding, modifying, or removing DNS names.
  • INSTANCE_NAME: the name of the instance.
  • DNS_NAMES: a comma-separated list of up to three DNS names that you're adding to the server certificate of your instance.

    If you already have DNS names that you added to the certificate, and you use this parameter to specify different DNS names, then Cloud SQL removes the original DNS names from the certificate.

    If you don't specify any DNS names for thecustomSubjectAlternativeNames parameter, but provide the null[] value instead, then Cloud SQL removes all DNS names from the server certificate of the instance. This ensures that no DNS names are added to the certificate inadvertently.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1veta4/projects/PROJECT_ID/instances/INSTANCE_NAME

Request JSON body:

{  "kind": "sql#instance",  "name": "INSTANCE_NAME",  "project": "PROJECT_ID",  "settings": {    "ipConfiguration": {      "customSubjectAlternativeNames": "DNS_NAMES"    },    "kind": "sql#settings"  }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1veta4/projects/PROJECT_ID/instances/INSTANCE_NAME"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1veta4/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_NAME",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}
To see how theunderlying REST API requestis constructed for this task, see theAPIs Explorer on the instances:patch page.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.