1

I'm going to connect from the instance in Project-A(custom VPC) with CloudSQL Postgres in Project-B(default VPC). Documentation says that I need to peer these two VPC. The peering status in the "Active" state. In Project-A I also have cloudsql_auth_proxy. Once I execute cloudsql_auth_proxy, I get this:

root@cloudsql-auth-proxy:~# ./cloud_sql_proxy -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:46:59 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.

2022/12/29 16:47:01 Listening on 0.0.0.0:5432 for -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:47:01 Ready for new connections

2022/12/29 16:47:01 Generated RSA key in 244.541948ms

When I try to connect to the cloudsql_proxy like this psql -h xxx.xxx.xxx.xxx -p 5432 -U proxyuser -d postgres it hangs.

The output of cloudsql_auth_proxy looks like this:

2022/12/29 16:48:00 New connection for "-instances=projectB:us-west1:postgres"

2022/12/29 16:48:00 refreshing ephemeral certificate for instance -instances=projectB:us-west1:postgres

2022/12/29 16:48:00 Scheduling refresh of ephemeral certificate in 55m0s
: dial tcp 10.35.144.3:3307: connect: connection timed out

Any thoughts about this?

Sharip Alikhanov
  • 21
  • 3
  • You can't connect to a Cloud SQL instace by using a VPC peering. Read https://stackoverflow.com/questions/72171009/can-cloud-sql-proxy-connect-a-vm-and-instance-on-different-vpcs/72177992#72177992 – Puteri Dec 29 '22 at 19:16
  • Non transitive VPC peering make the link impossible. Use a shared VPC or..... a VPN (to peer the 2 VPC), yes, a VPN... – guillaume blaquiere Dec 29 '22 at 21:22

2 Answers2

1

You'll need to deploy a Socks5 proxy in Project B VPC to provide a network path between VPCs. Dante is a popular choice.

Once you have a Socks5 proxy running, you can launch the Proxy pointing at it.

See https://github.com/GoogleCloudPlatform/cloud-sql-proxy#running-behind-a-socks5-proxy.

enocom
  • 1,496
  • 1
  • 15
  • 22
  • So basicaly I'm trying to configure Datastream to enable streaming data from CloudSQL to the BigQuery. Our CloudSQL instance in the project-A, Datastream in the project -B. Project-A has vpc-A which is peered with vpc-B in the Project-B. vpc-A has cloudsql_auth proxy and I'm able to ping or login to this database via cloudsql_auth_proxy using psql from VPC-B(Project-B) but I'm not able to connect to the cloudsql_auth_proxy from the Datastream. I need to be able to connect Datastream(Project-A) to the CloudSQL(Project-B) using private connection Thank you! – Sharip Alikhanov Jan 11 '23 at 17:05
0

I think you might have posted this on the GCP subreddit too! :P

To expand on @enocom answer with some diagrams.

For reference : potatoes-are-great-they-dont-care-about-transitivity

  1. VPC non-transitivity in GCP makes this a bit awkward.
  2. I am a bit puzzled by a GCP design that would require running two extra GCE constructs + a socks proxy + a cloud_sql_auth proxy. That's a lot of bits to interconnect GCP native services like CloudSQL and Datastream.
  3. I don't think I can remove any of the current pieces. If we remove vm-002, Datastream won't be able to reach vm-001 due to the lack of transitivity.

Reference Dante config to remove the authentication from the socks proxy. Don't do this in prod - just for the sake of simple test ;)

  1. In /etc/danted.conf
  2. systemctl restart danted.service
  3. systemctl status danted.service
logoutput: syslog
clientmethod: none
socksmethod: none


# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens4

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}
LaurentDumont
  • 31
  • 1
  • 4
  • Yeah! Thank you for the response, I appreciate your help. I did everything as this diagram shows and when I run `ALL_PROXY=socks5://10.138.0.13:1080 ./cloud_sql_proxy -instances=mega-project-34522:us-west1:datastream-test=tcp:0.0.0.0:5432 -credentials_file=credentials.json` I got this errors `2023/01/13 20:30:44 couldn't connect to "mega-project-34522:us-west1:datastream-test": socks connect tcp 10.138.0.13:1080->10.35.144.3:3307: no acceptable authentication methods` – Sharip Alikhanov Jan 13 '23 at 20:33
  • Ah yes, you can remove the authentication layer from Dante to test it out. I added a config snippet in the main post. – LaurentDumont Jan 14 '23 at 01:50
  • That works! Thank you so much, I appreciate your help! I was stuck on this projectfor 2 weeks... – Sharip Alikhanov Jan 17 '23 at 20:18
  • No problem! VPC transitivity and GCP native services interconnections is a bit challenging. – LaurentDumont Jan 18 '23 at 00:18
  • I'm considering to deploy danted5 on kubernetes in project A. I already have docker image. I want to deploy this image but i don't know how to expose it like static private IP address to use it in cloudsql_auth_proxy in project B – Sharip Alikhanov Aug 31 '23 at 23:19