Allow App Engine Standard Environment to connect to Compute Engine Mysql

2
votes

I have a mysql container on my compute engine and I would like my App Engine to be able communicate with it.

I'm using django and have the below settings

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'HOST': <---ACTUAL_IP_REMOVED -->,
        'NAME': 'name_of_my_database',
        'USER': 'root',
        'PASSWORD': <-- Actual password removed -->,
        'PORT': '3306'
    }
}

I also have a firewall rule that allows all ingress on tcp:3306 for target service account (my google compute service account) and for source service account (my app engine service account).

Despite this I still get the below error in my app engine logs. 

OperationalError: (2003, "Can't connect to MySQL server on '<--IP-Address-removed--->' (110)")

What am I overlooking / doing wrong?

1
mysqlgoogle-app-enginegoogle-compute-enginefirewall
just to be sure, you are using the external IP of your mySQL instance, correct? And are you running the database directly on the OS or are you running a container?Patrick W
Yes, I was using the external IP of the mysql instance. I was running the DB in a container on the OS. The OS image was googles container OS image. The docker image was the mysql image which by default exposes 3306 so the port 3306 was available to external devices. This was a firewall issue as was clear when I opened up access to all IPs to the VM. Ideally though I could choose to open just the IP of my app engine app to the GCE VM.Terence Chow
I agree that it is a firewall rule, wanted to understand the infrastructure. Network tags and Service account tags only work on resources within the VPC network. App Engine Standard uses a separate VPC network thus the source service account tag is not detected.Patrick W

1 Answers

0
votes

You also have to allow the remote connections in the SQL instance. Try to follow the steps described in here, replacing the data in the answer with your data.