How to use CloudSQLProxy in Google Cloud Platform?

If you’d like to learn more about the “WHY” and the benefits of using CloudSQLproxy, check out my previous article of this series: CloudSQLProxy - the wiser choice than tunneling to CloudSQL via bastion.

We will first see the various ways how CloudSQLProxy software can be started. We will then see, how to decide between these various ways. The decision factors will depend on things like ServiceAccount [SA] Key Files, cloud IAM roles, public/private IPs, etc.

An elaborate section is dedicated below.

The port number 1234 can be anything unused in the host. Your apps/tools/CLI will connect to this port number later. Conventional port numbers (although not required by CloudSQLProxy):

The port number 1234 can be anything unused in the host. Your apps/tools/CLI will connect to this port number later.

The port number 5678 can be anything unused in the container.

The port number 1234 can be anything unused in the host. Your apps/tools/CLI will connect to this port number later.

An elaborate section is dedicated below. Read on.

Once the CloudSQLProxy software is up and running, connecting to the proxy from your apps/tools/CLI is as simple as connecting to localhost:1234

The port number 1234 must be the same as what was used when “starting” the CloudSQLProxy software earlier.

Your apps/tools/CLI can now talk to the CloudSQL DB Instance securely.

We will use the SideCar pattern. You only need to create another container inside the same pod configuration as your existing application container.

Simply add a new container under the containers section in your pod/replicaset/deployment YAML.

Then your application (which is running in another container inside the same pod) will just need to connect to DB host =localhost:1234 - your DB username / DB password / DB name values for the connection remain unchanged.

The above YAML of a pod/replicaset/deployment will work JUST FINE without having to specify any SA key file at all:

Your containers will implicitly use the cluster’s built-in SA and nobody needs to generate (or distribute) any separate SA key file for this to work.

The three questions you should ask yourself are the following.

How you would authorize your CloudSQLProxy software to connect to your CloudSQL DB instance depends on a few factors. Are you connecting:

Anyone or anything (with or without a SA key file) trying to connect with a CloudSQL Instance must be granted the roles/cloudsql.client IAM role for the GCP project that is hosting the CloudSQL Instance

Your CloudSQL instance will always have a Private IP. But whether you should assign it a Public IP or not depends on whether there will be anyone (or anything) connecting to it from outside its VPC.

Note, however, that you will never need to share that Public / Private IP with anyone (or anything) at all. The advantage of connecting via the CloudSQLProxy software is that it will take care of abstracting away any IP address (public or private). However, the instance itself needs to have a Public/Private IP for the CloudSQLProxy software to be able to create a connection with it. That’s the only reason why a Public / Private IP is needed - but nobody needs to know what its value is.

It may all seem a bit overwhelming at the beginning if you are coming from a “just-specify-the-host-IP-and-get-it-done-with” background. However, that can end up making your DB instance susceptible to external attacks if your DB instance is not hardened / secured / firewalled / armored correctly.

With CloudSQLProxy, it allows you to establish a secure connection between your intended users/tools/apps and the DB servers end-to-end while greatly reducing the surface of attack & abuse on your DB servers by externals.

For more information on the “WHY” of CloudSQLProxy, check out my previous article on “CloudSQLProxy - the wiser choice than tunneling to CloudSQL via bastion”.

Related posts:

As I reflect upon the words of this beloved hymn, I cannot help but think I have had it all wrong! If you had asked me just a few weeks ago to interpret the meaning of this hymn, I might have tried…

Being easily overstimulated is part of the package for HSPs, and the culprit is usually information overload. As a Highly Sensitive, you notice and process so much more information than a non-HSP…

How do you know what to focus on? How do you make time for your creative work? How do you get rid of meaningless tasks?