Is there a way to proxy/ port forward GCP Cloud SQL so that we can connect to it via the internet?
I don't want to do an SSH port forward via a Virtual Machine. Instead, I'm looking for a way such that we could connect to CloudSQL from a public IP of either a Virtual Machine or a Kubernetes service.
I don't want to connect directly from the public IP of the CloudSQL instance as it requires us to whitelist the user's IP address. We have also tried the Cloud SQL proxy but faced speed and performance issues.
Hence, now I'm looking for a solution to proxy the CloudSQL connection from a VM or Kubernetes service
I have tried using Stunnel to proxy the connection as described in this documentation.
output=/tmp/stunnel.log
CAfile=/tmp/mysql-server-ca.pem
client=yes
pid=/var/run/stunnel.pid
verifyChain=yes
sslVersion=TLSv1.2
[mysqls]
accept=0.0.0.0:3307
connect=private-ip:3306
But, I get an error while connecting to the MySQL server:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104
Edit:
Stunnel runs on a Virtual Machine on Google Cloud
Stunnel connects to CloudSQL via Private IP (Both VM and CloudSQL share the same subnet)
MySQL can be connected from the VM using the private IP
Stunnel Logs:
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] accepted connection from 127.0.0.1:37014
2022.09.22 10:53:17 LOG5[2]: s_connect: connected <mysql-private-ip>:3306
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] connected remote server from 10.128.0.53:53302
2022.09.22 10:53:17 LOG3[2]: SSL_connect: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022.09.22 10:53:17 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
To access a Cloud SQL from a Compute Engine VM try the following, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address
From the client machine or Compute Engine VM instance, use What's my
IP to see the IP address of the client machine.
Copy that IP address. In the Google Cloud console, go to the Cloud
SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
In the Authorized networks section, click Add network and enter the
IP address of the machine where the client is installed. Note: The IP
address of the instance and the MySQL client IP address you authorize
must be the same IP version: either IPv4 or IPv6
Click Done. Then click Save at the bottom of the page to save your
changes. Connect to your instance, either with SSL or without SSL.
To access a Cloud SQL instance from an application running in Google Kubernetes Engine, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address. To connect to Cloud SQL you must have:
A GKE cluster, with the kubectl command-line tool installed and
configured to communicate with the cluster. For help getting started
with GKE, see the Quickstart.
Check the document for steps on how to configure without SSL
For Public IP-configured instances, a public-facing IPv4 address may
be enabled, allowing users outside the GCP project and VPC network to
connect to the instance.
Check the similar example here.
Related
I connect to a Google Cloud MySQL DB from my laptop, however my IP address not only changes at home, but also when I travel. I have to specify the allowed public ip address in Google Cloud, but every time I reconnect I have to log in & update google cloud with my new IP address.
What is the best solution to not have to do that?
To solve this issue you should use Cloud SQL Auth proxy:
The Cloud SQL Auth proxy provides secure access to your instances without the need for Authorized networks or for configuring SSL.
You can find more details how it works at the documentation:
The Cloud SQL Auth proxy works by having a local client running in the
local environment. Your application communicates with the Cloud SQL
Auth proxy with the standard database protocol used by your database.
The Cloud SQL Auth proxy uses a secure tunnel to communicate with its
companion process running on the server.
While the Cloud SQL Auth proxy can listen on any port, it only creates
outgoing connections to your Cloud SQL instance on port 3307. If your
client machine has an outbound firewall policy, make sure it allows
outgoing connections to port 3307 on your Cloud SQL instance's IP.
I configured Cloud SQL instance with privateIP and the VM with service account credentials configured.
I could successfully connect to SQL server from VM instance to SQL instance(privateIP) using cloud proxy as follows,
./cloud_sql_proxy -instances=proj:us-central1:test-sql=tcp:5353 -credential_file=service.json
and from VM,
sqlcmd -S tcp:127.0.0.1,5353 -U sqlserver
All these working from VM and inside Google cloud.
How to archive the same connectivity from Local SSMS studio, and i have tried downloading cloud-sql-proxy for windows system, and calling with same,
cloud_sql_proxy.exe -instances=proj:us-central1:test-sql=tcp:5353 -credential_file=service.json
using credential file for authentication; email=test#proj.iam.gserviceaccount.com
Listening on 127.0.0.1:5353 for proj:us-central1:test-sql
Ready for new connections
And i try to connect the SSMS using below connection params,
Error from cloud_sql_proxy CMD:
couldn't connect to "proj:us-central1:test-sql": dial tcp <PRIVATE_IP>:3307: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Any idea whats the problem and why am not able to connect from local machine with proper credentials file using SSMS? or do i missing any configurations?
As this documentation says, "When you configure a Cloud SQL instance to use private IP, you use private services access. Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google services VPC network where your Cloud SQL instance resides". That means that only the Google network can access to the Private IP. However, you can use private services access to connect to Cloud SQL resources from external sources over a VPN tunnel or Cloud Interconnect to your VPC network. The topology should be like this
ON-PREMISE ----- VPN ----- Your GCP Project
So, have you checked if your VPN tunnel or your Cloud interconnect settings are right?
I would recommend you to take a look at here and be sure you have followed this:
1.- Ensure your VPC network is connected to the external network using a Cloud VPN tunnel or a VLAN attachment for Dedicated Interconnect or Partner Interconnect.
2.- Identify the peering connections produced by the private services connection:
* cloudsql-mysql-googleapis-com
* cloudsql-postgres-googleapis-com
* servicenetworking-googleapis-com
3.- Update all of the peering connections to enable Export custom routes.
4.- Identify the allocated range used by the private services connection.
5.- Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
The new Google Cloud SQL Engine creates its own VM instance to run a MySQL database, with an exposed public IP address. I was hoping that it would be possible to VPN into the Google Compute Cloud, then connect to the MySQL VM instance internally. Is this possible? The computer I am trying to connect from is a physical machine located outside of the cloud.
If it's not possible, what if I connect via VPN and use the public IP address to connect to the MySQL instance? Would it resolve to the internal network quickly and mimic the behavior of a local connection (no delay)? Or would it have the same performance as connected to the external IP address with no VPN in place?
Sorry, there's currently no VPN/private IP support for Cloud SQL. At the moment, you can use instance settings to control which IPs are allowed to connect. By default, the mysql server is locked down from all external connectivity.
Connecting through a VPN should not improve latency and may in fact hurt it depending on how things are setup. I would recommend doing your own test if that's something you wish to verify.
You can also use the Cloud SQL Proxy to connect externally which uses SSL certs to establish an SSL tunnel to MySQL.
I can't connect Google Cloud SQL from GCE even I added public IP (external IP) of my GCE instance as a authorized network. It works when I add "0.0.0.0" into authorized network. Obviously I don't want to do that. The authorized network setting may be the cause. But I can't find out it. Does anyone know about this.
I'm using Google Cloud SQL version 2 beta. I am trying to connect from GCP cloud console. Although it may be not necessary, I changed external IP setting from ephemeral to static but it didn't work.
mysql -u root -p -h xxxx <--- I can login normally if I add "0.0.0.0" into authorized network.
I've double checked this same question..
Linking Google Compute Engine and Google Cloud SQL
1. Ensure your Cloud SQL instance has an IPv4 address.
2. Find out the public IP address of your GCE instance and add it as an authorized network on your Cloud SQL instance.
3. Add a MySQL username and password for your instance with remote access.
4. When connecting from GCE use you standard MySQL connection system (e.g. mysqli_connect) with the username and password you just set up, connecting to the IPv4 address of your Cloud SQL instance.
Edit 1
I noticed this description.
Note: Connecting to Cloud SQL from Compute Engine using the Cloud SQL Proxy is currently available only for Cloud SQL Second Generation instances.
https://cloud.google.com/sql/docs/compute-engine-access
Does it mean that I have to use the Proxy..?
Edit 2
$ mysql -u root -p -h (Cloud SQL Instance's IP)
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '(Cloud SQL Instance's IP)' (110)
Edit 3
Does it mean that I have to use the Proxy..?
According to the official document as Vadim said, Cloud SQL Proxy seems to be optional but it sounds better for security, flexibility and also the price. (static IP will be charged. However, the proxy setting may be complicated for me..)
https://cloud.google.com/sql/docs/compute-engine-access
If you are connecting to a Cloud SQL First Generation instance, then you must use its IP address to connect. However, if you are using a Cloud SQL Second Generation instance, you can also use the Cloud SQL Proxy or the Cloud SQL Proxy Docker image.
Edit 4
I found the reason... I was stupid... I tried connect from Google Cloud Shell but that was not my gce instance. It works when I try to connect from my gce instance.
Did you add the public IP of the GCE VM under authorized networks?
From your post:
2. Find out the public IP address of your GCE instance and add it as an authorized network on your Cloud SQL instance.
The official documentation is here:
https://cloud.google.com/sql/docs/external#appaccessIP
I have read and tried prior suggestions.
Here is what I have done.
I signed up for a static IP through a Proxy Server (that uses Port 3128)
I have tested that static IP is working (verified with several IP look up services)
I have chanced the authorized root password
I have tried setting the client host to Proxy Server value on the authorized users.
I have white labeled/authorized the static IP in Cloud SQL
I have tried both the IPv6 and IPv4 addresses from Cloud SQL in MySQL Workbench
I never get passed the error: Lost connection to MySQL server at 'reading initial communication packet', system error: 22 when using the IPv6 and Lost connection to MySQL server at 'reading initial communication packet', system error: 0 when using the IPv4
As an aside, I was able to authorize Zapier IP and have tested a webhook to Cloud SQL
It isn't clear from your description: did you whitelist your computer's IP address? There are sites that will tell you which IP address your computer is using, and that is the address you should use under the Access Control panel.