I have a MySQL instance on Google Cloud. I want to whitelist an IP by adding it to the authorized network on the connections tab. When I add a new IP address in public IP to authorized networks and click on save, I receive this error:
"Operation failed: Invalid request: backup retention must be >= 1 and <= 365"
Related
Is there a way to proxy/ port forward GCP Cloud SQL so that we can connect to it via the internet?
I don't want to do an SSH port forward via a Virtual Machine. Instead, I'm looking for a way such that we could connect to CloudSQL from a public IP of either a Virtual Machine or a Kubernetes service.
I don't want to connect directly from the public IP of the CloudSQL instance as it requires us to whitelist the user's IP address. We have also tried the Cloud SQL proxy but faced speed and performance issues.
Hence, now I'm looking for a solution to proxy the CloudSQL connection from a VM or Kubernetes service
I have tried using Stunnel to proxy the connection as described in this documentation.
output=/tmp/stunnel.log
CAfile=/tmp/mysql-server-ca.pem
client=yes
pid=/var/run/stunnel.pid
verifyChain=yes
sslVersion=TLSv1.2
[mysqls]
accept=0.0.0.0:3307
connect=private-ip:3306
But, I get an error while connecting to the MySQL server:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104
Edit:
Stunnel runs on a Virtual Machine on Google Cloud
Stunnel connects to CloudSQL via Private IP (Both VM and CloudSQL share the same subnet)
MySQL can be connected from the VM using the private IP
Stunnel Logs:
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] accepted connection from 127.0.0.1:37014
2022.09.22 10:53:17 LOG5[2]: s_connect: connected <mysql-private-ip>:3306
2022.09.22 10:53:17 LOG5[2]: Service [mysqls] connected remote server from 10.128.0.53:53302
2022.09.22 10:53:17 LOG3[2]: SSL_connect: ../ssl/record/ssl3_record.c:331: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022.09.22 10:53:17 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
To access a Cloud SQL from a Compute Engine VM try the following, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address
From the client machine or Compute Engine VM instance, use What's my
IP to see the IP address of the client machine.
Copy that IP address. In the Google Cloud console, go to the Cloud
SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
In the Authorized networks section, click Add network and enter the
IP address of the machine where the client is installed. Note: The IP
address of the instance and the MySQL client IP address you authorize
must be the same IP version: either IPv4 or IPv6
Click Done. Then click Save at the bottom of the page to save your
changes. Connect to your instance, either with SSL or without SSL.
To access a Cloud SQL instance from an application running in Google Kubernetes Engine, you can use either the Cloud SQL Auth proxy (with public or private IP), or connect directly using a private IP address. To connect to Cloud SQL you must have:
A GKE cluster, with the kubectl command-line tool installed and
configured to communicate with the cluster. For help getting started
with GKE, see the Quickstart.
Check the document for steps on how to configure without SSL
For Public IP-configured instances, a public-facing IPv4 address may
be enabled, allowing users outside the GCP project and VPC network to
connect to the instance.
Check the similar example here.
I configured Cloud SQL instance with privateIP and the VM with service account credentials configured.
I could successfully connect to SQL server from VM instance to SQL instance(privateIP) using cloud proxy as follows,
./cloud_sql_proxy -instances=proj:us-central1:test-sql=tcp:5353 -credential_file=service.json
and from VM,
sqlcmd -S tcp:127.0.0.1,5353 -U sqlserver
All these working from VM and inside Google cloud.
How to archive the same connectivity from Local SSMS studio, and i have tried downloading cloud-sql-proxy for windows system, and calling with same,
cloud_sql_proxy.exe -instances=proj:us-central1:test-sql=tcp:5353 -credential_file=service.json
using credential file for authentication; email=test#proj.iam.gserviceaccount.com
Listening on 127.0.0.1:5353 for proj:us-central1:test-sql
Ready for new connections
And i try to connect the SSMS using below connection params,
Error from cloud_sql_proxy CMD:
couldn't connect to "proj:us-central1:test-sql": dial tcp <PRIVATE_IP>:3307: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Any idea whats the problem and why am not able to connect from local machine with proper credentials file using SSMS? or do i missing any configurations?
As this documentation says, "When you configure a Cloud SQL instance to use private IP, you use private services access. Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google services VPC network where your Cloud SQL instance resides". That means that only the Google network can access to the Private IP. However, you can use private services access to connect to Cloud SQL resources from external sources over a VPN tunnel or Cloud Interconnect to your VPC network. The topology should be like this
ON-PREMISE ----- VPN ----- Your GCP Project
So, have you checked if your VPN tunnel or your Cloud interconnect settings are right?
I would recommend you to take a look at here and be sure you have followed this:
1.- Ensure your VPC network is connected to the external network using a Cloud VPN tunnel or a VLAN attachment for Dedicated Interconnect or Partner Interconnect.
2.- Identify the peering connections produced by the private services connection:
* cloudsql-mysql-googleapis-com
* cloudsql-postgres-googleapis-com
* servicenetworking-googleapis-com
3.- Update all of the peering connections to enable Export custom routes.
4.- Identify the allocated range used by the private services connection.
5.- Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
I was trying to create a new VM instance and instead of creating a Static External IP, i wrongly created a Static Internal IP. When i do
gcloud compute addresses list
I get my internal IP listed. Then i use:
gcloud compute addresses delete [address-name]
It asks for confirmation to delete. But once I type 'Y' as a confirmation, I get the following error stating that the resource itself is not found:
ERROR: (gcloud.compute.addresses.delete) Could not fetch resource: - The resource "[MY_RESOURCE_NAME]" was not found
I am confused. I hope I am not being charged for this.
If you want to delete a static internal IP address from a GCP Instances you could use the following documentaion and do it with the Cloud Console:
Go to the VM instances page.
Select your project.
Select the VM instance from the project list.
Select the Edit tool at the top of the page.
Click the edit tool for Network Interfaces.
Change the Internal IP type from Static to Ephemeral.
Select Release to release your static IP address.
Click Done to save your changes.
Your instance continues to use the static IP address until the
instance is deleted or restarted. After that occurs, the IP address is
returned to the subnet's default pool of available internal IP
addresses.
I made instance in Google Cloud > Storage > SQL > MYSQL. Now I have to import database in it so I am trying to connect to MYSQL
using adminer, but it gives following error
SQLSTATE[HY000] [2002] Operation timed out
I also tried via HeidiSQL > MariaDB or MYSQL (SSL Tunnel) but here also it does not connect and gives error
https://prnt.sc/o58in0
I am mentioning
Host: Public Ip of SQL instance
Username: root
Any suggestions, what could be the fix?
Your error typically means that a firewall blocked your connection attempt.
For Cloud SQL, this typically means that you have not enabled instance-level access.
Since your error is 10060, which is a Windows WinSock error message, I am assuming that you are running on Windows. The steps are similar for Linux.
There are two methods to enable access to Cloud SQL:
Cloud SQL Proxy
This is the recommended method and is secure. Download and install the Cloud SQL Proxy to your the computer that you want to connect from. If you have set up the Cloud SDK (gcloud), Cloud SQL Proxy will use your Cloud SDK credentials. If not, then you will need to create and download a service account with (usually) the Cloud SQL Client role.
You will need the "instance connection name" from Cloud SQL Instance details page.
Download Cloud SQL Proxy (link) to your computer. Remember the full path to the program. Save the program as "cloud_sql_proxy.exe"
Start the Cloud SQL Proxy
[full_path_to_program]\cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306
OR
[full_path_to_program]\cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306 -credential_file=[PATH_TO_KEY_FILE]
Connect using mysql.exe: `mysql -u USERNAME -p --host 127.0.0.1
Public IP Method
The second method is not secure unless you also enable SSL, which I will not cover in this answer. I do not recommend this method except for knowledgeable persons.
Figure out what your public IP address is. Go to any website such as "MXToolbox" https://mxtoolbox.com/whatismyip/
Go to the Google Cloud Console
Go to the Cloud SQL Instances Details page
Select the Connections tab
Click Add network
In the Network field, enter your Public IP address using CIDR notice: eg 145.11.22.33/32
Enter a name such as "My Home IP"
Click Done
Click Save
Note: Most home Internet services change your Public IP address periodically. This means that you will need to update your Public IP address in Cloud SQL if you are using the second method.
Trying to connect to my Google Cloud SQL Instance. I'm at the part where I have to add an authorized subnet. I keep trying to add a new subnet but whenever I do the page tells me it couldn't complete the operation. I'm putting my IP address in CIDR format like "192.168.103.202/24", but it just won't get accepted. And I can't connect to the SQL instance without this piece. Help? Is it a bug or am I doing something wrong???
if I try to connect to my google cloud sql instance without the subnet added I get the error:
I keep getting the error 'If Google Cloud SQL rejects the connection, for example, because the IP address your client is connecting from is not authorized, the error you receive will be'
which is expected as per the docs
reference:
https://developers.google.com/cloud-sql/docs/access_control
192.168.103.202 is your internal IP address, which is not publicly accessible, you need to enter your public IP address into the authorized network dialog.
The easiest way to get this is to enter "whats my ip" into Google and it will tell you "Your public IP address is x.x.x.x".