4

Is it possible to connect to Google Cloud SQL from a Google Managed VM? With regular Google App Engine applications, I can connect by authorizing my project in the Cloud SQL console and using unix_socket='/cloudsql/' + _INSTANCE_NAME. However, the /cloudsql/ socket doesn't seem to be available on Managed VMs. Do I have to whitelist the IP of my Managed VM application? If so, how do I find the IP address to whitelist?

AJH
  • 135
  • 1
  • 1
  • 4

4 Answers4

6

The /cloudsql/ sockets are only available in regular App Engine. Managed VMs are regular VMs so connection to Cloud SQL needs to use the external IP of that Cloud SQL instances. The external IP needs to be whitelisted. The external IP is showed in the Developers Console and can also be retrieved via gcloud CLI tool.

Two options to avoid having to whitelist the IP of the GCE VMs are:

  1. Switch to use only SSL connections for IP connectivity and whitelist 0.0.0.0/0.
  2. Funnel all the traffic to Cloud SQL via a VM that runs a TCP proxy (HAProxy) for example.

We are aware that none of these are very satisfying solutions. :-(

Razvan Musaloiu-E.
  • 1,324
  • 8
  • 10
  • @Răzvan - when is this going to be fixed? I know the Cloud SQL instances have IPv6 addresses but GCE does not have IPv6. I also cannot add an internal-IPv4 address to a CloudSQL instance... Is there an ETA? This makes the "activation policy" » "On demand" useless as you spend more on an unused IP ($0.01/h) than you're saving by using "On demand". Am I right? – eRadical Feb 11 '15 at 22:41
  • I'm sorry but I don't have an exact timeline for this feature. :-( – Razvan Musaloiu-E. Feb 12 '15 at 03:58
  • I cannot provide a firm ETA. We already up and running some pieces we need but we are not done yet. Sorry for the slowness. :-( – Razvan Musaloiu-E. Nov 27 '15 at 01:12
  • Is there documentation anywhere on option 1? I'm having a lot of trouble configuring ssl correctly on the client/managed vm app. The SSL connection works on local tests, but in the managed vm I get "SunCertPathBuilderException: unable to find valid certification path to requested target" – James Newman Dec 10 '15 at 21:56
1

If you're willing to try out Cloud SQL Second Generation (currently in Beta), there's built-in support for connecting from Managed VMs that is similar to App Engine: https://cloud.google.com/sql/docs/sql-proxy#gae

Kevin Malachowski
  • 173
  • 5
  • Not from a Java application tho? – DaBeeeenster Feb 28 '16 at 20:38
  • It is possible, but not yet well supported. Internally there is work being done to make this easier but I'm not sure of its priority (and thus cannot give you any sort of date). See a workaround for Java I posted, it might work for you: http://stackoverflow.com/a/34820600/4754999 – Kevin Malachowski Feb 29 '16 at 22:53
0

Everything is described here depends on language: https://cloud.google.com/sql/docs/dev-access more details with pythons are here:

subject: Step 2: Grant your App Engine application access to the Google Cloud SQL instance https://cloud.google.com/appengine/docs/python/cloud-sql/

user1005101
  • 95
  • 6
  • also please be aware of that:Note: An App Engine application must be in the same region (either EU or US) as a Google Cloud SQL instance to be authorized to access that Google Cloud SQL instance. – user1005101 Dec 20 '14 at 12:30
  • Thanks for your helpful links. However, I was looking for a way to connect from a Google Managed VM, not from App Engine. I followed the steps above, but that solution doesn't work for Google Managed VMs. – AJH Dec 21 '14 at 22:23
0

Concerning the first solution provided by @Razvan Musaloiu-E

Switch to use only SSL connections for IP connectivity and whitelist 0.0.0.0/0.

Are there any security concerns if I do this ? Besides from having a "root"/"root" login/pasword on my Cloud SQL database of course...

Q_C
  • 443
  • 3
  • 11