Configure Cloud SQL instance access

This document provides detailed steps for setting up Virtual Private Cloud peering,installing a Cloud SQL proxy, and connecting to an internalCloud SQL IP address across different Google Cloud projects.This setup ensures security-enhanced and efficient communication between yourCloud SQL instance and the following connectors:

• The BigQuery Data Transfer Service MySQL connector
• The BigQuery Data Transfer Service PostgreSQL connector.

This document also covers the creation of a network attachment in theBigQuery Data Transfer Service connector project.

Before you begin

Ensure you have the following:

• Access to a Google Cloud project with the BigQuery Data Transfer Serviceconnector and another Google Cloud project with the Cloud SQL instance.
• An existing MySQL or PostgreSQL database in a Google Cloud project.
• The appropriate permissions tocreate a VPC,create firewall rules,and install software.
• Avirtual machine (VM) instance.

Set up VPC peering

To set up VPC peering, you must create VPCpeering from the BigQuery Data Transfer Service connectorproject, create VPC peering in the Cloud SQL databaseproject to the BigQuery Data Transfer Service project, and configure the routes andfirewall rules.

Create VPC peering from the BigQuery Data Transfer Service connector project

1. In the Google Cloud console, go to theVPC network peering page for yourBigQuery Data Transfer Service connector project.

   Go to VPC Network Peering

2. ClickaddCreate peering connection.

3. In theName field, enter a name for your peering configuration.

4. ForYour VPC network, select the VPC network that you wantto peer in the BigQuery Data Transfer Service connector project.

5. ForPeered VPC network, select theIn another project option.

6. ForProject ID, enter the project ID of the Cloud SQLproject.

7. ForVPC network name, enter the name of the VPC networkin the Cloud SQL project.

8. ClickCreate.

Create VPC peering in the Cloud SQL database project

To create VPC peering in the Cloud SQL database projectto the BigQuery Data Transfer Service project, do the following:

1. In the Google Cloud console, go to theVPC Network Peering page for yourBigQuery Data Transfer Service connector project.

   Go to VPC Network Peering

2. ClickaddCreate peering connection.

3. In theName field, enter a name for your peering configuration.

4. Select the VPC network that you want to peer in theCloud SQL database project.

5. ForPeer project ID, enter the project ID of theBigQuery Data Transfer Service project.

6. ForPeered VPC network, enter the name of the VPC networkin the BigQuery Data Transfer Service connector project.

7. ClickCreate.

Configure routes and firewall rules

If you didn't select import-export routes while configuring the peeringconnections earlier, follow these steps to do so now:

1. Go to theRoutes page for your BigQuery Data Transfer Serviceconnector project.

   Go to Routes

2. Ensure the routes exist to allow traffic between the peered VPCenvironments.

3. Go to theFirewall policies page.

   Go to Firewall policies

4. Create firewall rules to allow for traffic on the necessary ports (forexample, port 3306 for MySQL and port 5432 for PostgreSQL)between the peered networks.

5. Add the custom firewall rules that are required from the BigQuery Data Transfer Serviceconnector project to the Cloud SQL database-hostedproject.

6. Configure routes and firewall rules for your project with theCloud SQL instance as you did in the previous steps.

Set up the Cloud SQL proxy

1. Use SSH to connect to a virtual machine (VM) instance in theBigQuery Data Transfer Service connector project.

2. In the terminal, download the Cloud SQL proxy:

   wgethttps://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64-Ocloud_sql_proxy

3. Update the permissions for the downloaded files:

   chmod+xcloud_sql_proxy

4. Run the Cloud SQL proxy:

   ./cloud_sql_proxy-instances=NAME=tcp:3306or5432&

   ReplaceNAME with the name of yourCloud SQL instance connection.

Connect to the internal Cloud SQL IP address

1. Use the internal IP address of the Cloud SQL instance for connections.
2. Configure your application or tool to connect to the internal IP address,specifying the appropriate credentials and database details.

When connecting from a different Google Cloud project, use the internalIP address of the proxy VM that you deployed earlier. This solution resolvestransitive peering issues.

Create the network attachment

To create the network attachment in the BigQuery Data Transfer Service connectorproject, follow these steps:

1. In the Google Cloud console, go to theNetwork attachments page.

   Go to Network attachments

2. ClickaddCreate network attachment.

3. Provide a name for the network attachment.

4. Select the appropriate VPC network.

5. ForRegion, specify the region where your BigQuery Data Transfer Service connector is located.

6. ForSubnetwork, select the appropriate option that matches your setup.

7. ClickCreate network attachment.

Test the connection

1. Verify that the VM with the Cloud SQL proxy can connect to theCloud SQL instance:

   mysql-uUSERNAME-p-hIP_ADDRESS

   Replace the following:

   • USERNAME: the username of the database user
   • IP_ADDRESS: the IP address of the Cloud SQL instance

2. Ensure that applications in the BigQuery Data Transfer Service connectorproject can connect to the Cloud SQL instance using the internal IP.

Troubleshoot

If you are having issues setting up your network configuration, do the following:

• Ensure that VPC peering is established and that routes arecorrectly configured.
• Verify that the firewall rules allow for traffic on the required ports.
• Check the Cloud SQL proxy logs for errors and ensure it is runningcorrectly.
• Ensure that the network attachment is correctly configured and connected.