1

I am trying to connect to the AlloyDB in google cloud via alloydb-auth-proxy. I am not able to connect to it successfully. I am getting error while trying to do this.

I followed the instruction mentioned in https://cloud.google.com/alloydb/docs/auth-proxy/connect#python and https://github.com/GoogleCloudPlatform/alloydb-auth-proxy#example-invocations

I am using FastAPI in the backend and using sqlalchemy.


SQLALCHEMY_DATABASE_URL = "postgresql+psycopg2://<user>:<password>@\
localhost/postgres"

engine = create_engine(SQLALCHEMY_DATABASE_URL)

SesionLocal = sessionmaker(bind=engine, autocommit=False, autoflush=True)

I start the auth proxy using the credentials

alloydb-auth-proxy "projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>" --credentials-file "key.json"

I am leaving the address and port as default i.e. address to 127.0.0.1 and port 5432.

The proxy starts

[projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>] Listening on 127.0.0.1:5432
The proxy has started successfully and is ready for new connections!

But when I run the app it's getting me an error in console-

sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) connection to server at "localhost" (::1), port 5432 failed: Connection refused (0x0000274D/10061)
        Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 5432 failed: server closed the connection unexpectedly    
        This probably means the server terminated abnormally
        before or while processing the request.

and in proxy cmd

[projects/<project-id>/locations/<region>/clusters/<database-id>/instances/<instance-id>] failed to connect to instance: Dial error: failed to dial (instance URI = "<project-id>/<region-id>/
<database-id>/<instance-id>"): dial tcp xx.xx.xx.x:5433: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

What's happening here?

Pritam Sinha
  • 309
  • 6
  • 11
  • 1
    Where are you starting the `alloydb-proxy` from? (your local machine? a GCE VM instance?) AlloyDB uses Private IP database connections, therefore you can only connect and successfully use the proxy if you are attached to and have a network path from the same VPC network that your AlloyDB cluster is running on. – Jack Wotherspoon Aug 24 '22 at 17:32
  • Does auth-proxy continue to run in background when your run your API? – guillaume blaquiere Aug 24 '22 at 18:13
  • @JackWotherspoon I am starting the auth proxy from my local machine and yes the proxy continues to run after I start my app. I start the auth proxy first then I run my app but after some time it shows that error. – Pritam Sinha Aug 25 '22 at 07:31

1 Answers1

4

AlloyDB currently only has the option to connect to it by Private IP. This means that your local machine will be unable to reach the cluster regardless of your connectivity methods (auth proxy, Python connector, direct connection, etc).

To connect you either need to be connecting from within the same network (VPC) as the AlloyDB cluster, or you'll need to set up something like a bastion instance which has a public entry point that shares the network with the AlloyDB cluster.

To test this, easiest way is to spin up the smallest GCE instance you can on the same VPC as the AlloyDB cluster. Then SSH into that instance, and use the psql client to confirm you can connect to the AlloyDB instance. Once you confirm that, for development you either need to push your application to that GCE instance to be able to connect, or set up some connectivity between you and the GCE instance.

There are a few ways to do that, I'd recommend locking down the GCE instance as hard as you can and reverse SSH tunnel to the instance from your local machine. Or set up a VPN (Cloud VPN is an option, but fairly expensive, so running your own VPN service on the GCE instance is an option, just more overhead and maintenance). You can also set up something like a Socks5 proxy on the bastion instance to do forwarding from there to your AlloyDB cluster and that would also work.

Gabe Weiss
  • 3,134
  • 1
  • 12
  • 15
  • Thanks for the information. At least now I know something. I was trying to see if I can use AlloyDB like Cloud SQL. But now I see that "your local machine will be unable to reach the cluster" and "AlloyDB only has private IP". I want a simple solution. The setup solution is too complicated for me. If I want to use Cloud SQL instead of AlloyDB, is it the same case there also? can I connect to Cloud SQL Postgres instances from my local host? Since you are an GCE, I want some suggestions before I go into Cloud SQL Postgres. – Pritam Sinha Aug 28 '22 at 06:43
  • Cloud SQL has a public IP option, so no issues there to connect from local machine. This blog post: https://medium.com/google-cloud/connecting-cloud-sql-public-ip-sql-proxy-5513f59e5a9e should help. It talks about connecting using the public IP and our auth proxy which is the recommended way to connect to Cloud SQL. – Gabe Weiss Aug 29 '22 at 07:14
  • You're most welcome! If you could, please mark the answer as accepted so it's easier for folks to find when others have the same issues! – Gabe Weiss Aug 29 '22 at 15:58
  • @GabeWeiss what is Google's roadmap with AlloyDB? Are they working on a better solution for connecting to AlloyDB from externally hosted services? – Ozzy Sep 22 '22 at 15:43
  • Yup! It'll be post-GA feature, and I can't speak to dates for when it'll go in, but it's definitely on the roadmap (it's a hill I'll die on!) :) – Gabe Weiss Sep 23 '22 at 16:03