This page describes how to upgrade your Cloud SQL instances from the oldnetwork architecture to the new network architecture.

This Cloud SQL network architecture upgrade page applies only to someCloud SQL instances.If your Cloud SQL instances use a Virtual Private Cloud (VPC)network project that was created before August 2021, then you need to upgradethe Cloud SQL network architecture for your instances.

Overview

The following table shows the benefits of new network architecture compared tothe old network architecture:

Plan your upgrade

Before you upgrade the network architecture of your Cloud SQLinstances, plan the upgrade according to the following upgrade constraints:

• If you upgrade your network architecture, then you can expect downtime onyour instance of up to 4 minutes on average.

• If there's an ongoing data migration, then you can't upgrade the sourceinstance to the new architecture during the data migration.

• If youconnect to an instance from an external source,then verify that all peering connections are updated to enable the export of custom routes.

• If you're usingservice perimeters,then verify thatShared VPC host project is included.If this project isn't included, then the migration fails.

• You can't upgrade the network architecture of instances on a network withmore than 300 Cloud SQL instances.

• If your network includes two or more instances that use private IP addressesin the same region, then Cloud SQL must use an additional /24 range (or ranges)from your allocated private services access IP address rangeto host the instances in the new network architecture.This additional consumption is temporary,and is removed during a subsequent Cloud SQL maintenance event.

Plan to upgrade all Cloud SQL instances in a network project

Your Cloud SQL instances can reside either in the same project as theVPC network or in a separate project. The project hosting theVPC network is thenetwork project.

A network project can operate indual stack mode, meaning that it can hostCloud SQL instances simultaneously, using both the old and new network architectures. This occurs when at least one instance within the project usesthe old architecture. As a result, Cloud SQL can't upgrade the projectto the new architecture.

To query the network architecture for all instances within a project,you can usegcloud CLI or the API.

Considerations for dual stack projects

When using dual stack projects, keep in mind the following considerations:

• Upgrade an instance implicitly: When you modify an instance's privatenetwork or enable the private IP address within a dual stack project, Cloud SQLmight upgrade the instance to the new network architecture implicitly.
• No architecture downgrades: Network changes never downgrade an instance'snetwork architecture.
• Reject requests: If a network change needs a downgrade to complete, thenCloud SQL rejects the request.
• New instances can't use IP ranges from the old network architecture: Whena project is in dual stack mode, you can't create instances that use IP rangesthat are associated with service connections from the old network architecture.

To avoid potential conflicts and to ensure a smooth network upgrade, we recommend thatyou plan to upgrade all instances in the project to the new architecture.

Upgrade your Cloud SQL network architecture

To upgrade the network architecture of yourCloud SQL instance, do the following:

1. Check the network architecture of eithera single Cloud SQL instance ormultiple Cloud SQL instances.
2. Upgrade the network architecture of a Cloud SQL instance.

Check the network architecture of a single Cloud SQL instance

To check the current network architecture of a single instance,use thegcloud sql instances describe command or theinstances.get method.

   gcloud sql instances describeINSTANCE_NAME

name:INSTANCE_NAMEproject:PROJECT_ID...sqlNetworkArchitecture:OLD_NETWORK_ARCHITECTURE

name:INSTANCE_NAMEproject:PROJECT_ID...sqlNetworkArchitecture:NEW_NETWORK_ARCHITECTURE

GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

{  "kind": sql#instance  "name":INSTANCE_NAME  "project":PROJECT_ID  "sqlNetworkArchitecture": enum (SqlNetworkArchitecture)  ...}

GET https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

{  "kind": sql#instance  "name":INSTANCE_NAME  "project":PROJECT_ID  "sqlNetworkArchitecture": enum (SqlNetworkArchitecture)  ...}

Check the network architecture of multiple Cloud SQL instances

To check the network architecture of multiple instances in a project,use thegcloud sql instances list command or theinstance.list method.

gcloud sql instances list --show-sql-network-architecture

NAMEDATABASE_VERSIONLOCATION...SQL_NETWORK_ARCHITECTUREinstance_1POSTGRES_13asia-northeast1-bOLD_NETWORK_ARCHITECTUREinstance_2MYSQL_5_7europe-west1-dNEW_NETWORK_ARCHITECTURE...

LIST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X LIST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method LIST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content

{  "kind": sql#instance  "name":INSTANCE_NAME  "project":PROJECT_ID  "sqlNetworkArchitecture": enum (SqlNetworkArchitecture)  ...}

LIST https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X LIST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method LIST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1beta4/projects/PROJECT_ID/instances" | Select-Object -Expand Content

{  "kind": sql#instance  "name":INSTANCE_NAME  "project":PROJECT_ID  "sqlNetworkArchitecture": enum (SqlNetworkArchitecture)  ...}

Upgrade the network architecture of a single Cloud SQL instance

To upgrade the network architecture for a single instance, use thegcloud sql instances patch command, theinstance.update method, or theinstance.patchmethod.

gcloud sql instances patchINSTANCE_NAME --upgrade-sql-network-architecture

operation_id

operation_id

PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

{  "kind": sql#instance,  "targetLink": string,  "status": enum (SqlOperationStatus),  "name": string,  "insertTime": string,  "startTime": string,  "endTime": string  ...}

operation_id

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME

{  "sqlNetworkArchitecture": "NETWORK_ARCHITECTURE_TYPE"}

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_NAME" | Select-Object -Expand Content

{  "kind": sql#instance,  "targetLink": string,  "status": enum (SqlOperationStatus),  "name": string,  "insertTime": string,  "startTime": string,  "endTime": string  ...}

Frequently asked questions

This section provides answers to frequently asked questions aboutupgrading your Cloud SQL network architecture.

• What's the impact of the upgrade on my Cloud SQL instance?
• Do all features work the same after the upgrade?
• Which instances use the old network architecture?
• Are all new Cloud SQL instances created on the new network architecture?
• Is it possible to update all instances in a project with a single command?
• Does the replica automatically get upgraded if I upgrade the primary?
• I received a notification that the network architecture of my Cloud SQL instances will be upgraded. What do I need to do?
• When I attempt to upgrade my instance, I receive the error "outside the reserved IP address range". What do I need to do?

What's the impact of the upgrade on my Cloud SQL instance?

When upgrading your network architecture, the Cloud SQL instance has aMAINTENANCE state. In this state, the instance experiences up to four minutesof downtime, on average. Any additional changes to the instance aren't alloweduntil the upgrade is complete. Other instances in your project or network aren'taffected by the upgrade.

Do all features work the same after the upgrade?

All features of your Cloud SQL instance work the same on the newarchitecture as they did on the old architecture. After you upgrade an instanceto use the new network architecture, if you want to switch the network of thatinstance, then make sure that all instances in the destination network are alsoupgraded to the new network architecture.

Which instances use the old network architecture?

Any new projects that were created after August, 2021 automatically usethe new network architecture. Existing projects can contain Cloud SQLinstances that are created before August 2021 and still use the old networkarchitecture. Therefore, all instances within an existing project must beupgraded before any new instances in that project can start using the newnetwork architecture.

Are all new Cloud SQL instances created on the new network architecture?

By default, new Cloud SQL instances created in projects created afterAugust 2021 use the new network architecture.

If you want to create an instancein a project created before August 2021 and use the new network architecture,then you must update all of your existing instances in that project to thenew network architecture. If you're usingShared VPC,then you must update all instances in the projects that are participating in theShared VPC.

After you've updated all the existing instances in your project, waitseveral hours before you create any instances in the project.New instances that you create in the project use the new network architecture.

If there are recently deleted instances with the old network architecture, youneed to wait four days before creating a new instance with the new networkarchitecture. This delay accommodates the process torestorea deleted instance.

Is it possible to update all instances in a project with a single command?

No, the upgrade to the new network architecture is based on each instance.

Does the replica automatically get upgraded if I upgrade the primary?

No, the upgrade to the new network architecture is based on each individualinstance. Each replica is treated as a separate instance and must be upgradedseparately. This means that if the primary is upgraded and the replica isusing the old network architecture, the replica isn't affected.The opposite is also true. If you upgrade a replica, the primary won't beaffected.

I received a notification that the network architecture of my Cloud SQL instances will be upgraded. What do I need to do?

No action is required by you.

For some instances, when the automatic upgrade occurs on a private network, therequest is temporarily rejected. As a workaround, you can upgrade the networkarchitecture of your instance yourself by following the procedure inUpgrade the network architecture of a single Cloud SQL instance.

When I attempt to upgrade my instance, I receive the error "outside the reserved IP address range". What do I need to do?

To use Cloud SQL instances in a VPC network withprivate IP, allocate IP address ranges when you set upprivate services access for the VPC network.

For example, if an IP allocated address range is changed or deleted,then you might encounter an error similar to the following:

Network architecture upgrade not allowed for private-ip instancePROJECT_ID:INSTANCE_NAMEwhose IP address range10.0.0.0/24 is outside the reserved IP address range forprivate services access. Re-allocate the IP address range for private services access and retry.

In this example, the original allocated IP address range has thenamegoogle-managed-services-VPC_NETWORK_NAME, and the originalallocated IP address range is10.0.0.0/16.Then you create an instance with a private IP address of10.0.0.1.If the IP address range ofgoogle-managed-services-VPC_NETWORK_NAME is deleted,or is updated to refer to a range of10.1.0.0/16this range doesn't cover the instance's private IP address10.0.0.1.Afterwards, when you try to upgrade the network architecture of your instance,you encounter theoutside the reserved IP address range error.

To resolve this issue, follow the procedure inConfigure private services access for Cloud SQL.Re-allocate an IP address range that includes the IP address ofyour instance into the ranges allocated for private services access.At the least, you can allocate the IP address range reported in yourerror message (in the previous example,10.0.0.0/24.)

Then retry the network architecture upgrade.

What's next

• Read more aboutPrivate Service Connect
• Read more aboutAssured Workloads
• Read more aboutConfigure private service access for Cloud SQL
• Read more aboutDatabase migration service to AlloyDB for PostgreSQL