1

In my GCP org I've a Cloud SQL Private instance running with a Private IP, peering with my internal VPC. For my Cloud Run payload, I setup a Serverless VPC connector and it works fine. Also, my GCE instances in the VPC can reach the CloudSQL instances using Cloud SQL proxy...great.

But now I need to make that Cloud SQL instance reachable by my CloudBuild pipelines. For do that, ofc I'll switch my building pool to private. But I'm puzzled about how to ensure connectivity between these two kinds of managed services.

AFAIK CloudBuild does not tunnel through Serverless VPC connectors.

1- Does CloudSQL and CloudBuild share the same google-managed service VPC? Do I need two distinct VPC peering spaces for those two services or should they share the same one?

2- In case they don't, since peering is not transitive, I guess that peering the CloudBuild network won't make the private IP of CloudSQL reachable by its own. How can I ensure connectivity between the two services, then? Should I need to peer from CloudSQL to CloudBuild networks (how?)? Do I need to setup a HA VPN between the two (wasting money)? Hopping using a GCE bastion (not so elegant)?

tnx allot for the support and apologize in advance if these questions' validity is debatable.

Gabriele B
  • 2,665
  • 1
  • 25
  • 40
  • Is having a CloudSQL public IP a solution? After discussion with the Sec team in our company, we successfully demonstrate there is no issue to have a public IP on Cloud SQL as long as the Organization Policy prevent the addition of authorized network is active. – guillaume blaquiere Jun 12 '23 at 11:15
  • Hi Guillame (i'm a fan and follower of your blog btw ;) tnx allot for your articles!), yes and no. I understand that firewall can do miracles nowdays, but we prefer to stick with total private environment since this is a use case for the medical industry (we can always switch to public later in the future) – Gabriele B Jun 12 '23 at 12:15
  • 1
    Thank you for the feedback! And, in that case, you are stuck with vpc peering transitivity. Private service connect in front of Cloud SQL should be released a day (I don't know when) and will solve your issue. Until then, you have to do dirty network things (VPN, Bastion,...). You are in the same case as a private GKE cluster, so, same solution: https://cloud.google.com/architecture/accessing-private-gke-clusters-with-cloud-build-private-pools – guillaume blaquiere Jun 12 '23 at 12:54
  • hello Gabriele, Did you see this documentation https://cloud.google.com/sql/docs/mysql/connect-build#private-ip ? To connect to your Cloud SQL instance over private IP, Cloud Build must be in the same VPC network as your Cloud SQL instance. To configure this: 1- Set up a private connection between the VPC network of your Cloud SQL instance and the service producer network. 2- Create a Cloud Build private pool. Once configured, your application will be able to connect directly using your instance's private IP address and port 3306 when your build is run in the pool. – Abdellatif Derbel Jun 12 '23 at 16:43
  • 1
    Tnx @AbdellatifDerbel, I read the document but, as guillaume said this is contadicted in other parts of the documentation: the fact is that since VPC peering is not transitive, it _should_ not directly be possible to connect from the build producer network to the cloudsql vpc network directly. But I agree that on the page you linked it says otherwise... – Gabriele B Jun 12 '23 at 19:26

0 Answers0