Does traffic from App Engine to Cloud SQL travel over the internet or on Google internal network?

2
votes

We have this discussion in our office and can not come to a conclusion. So I am reaching out here for some advice.

We have a Google Cloud SQL running with no public IP. Google App engine from different App Engine project connect to this single cloud SQL by authorizing their service account.

There are no VPC setup between the projects. The apps are on google app engine standard environment. The instance's private IP is not used in the app projects.

The connections between the projects are made using the tutorial found here

https://cloud.google.com/sql/docs/mysql/connect-app-engine

creating an connection string as 

mysql+pymysql://<db_user>:<db_pass>@/<db_name>?unix_socket=/cloudsql/<cloud_sql_instance_name>

The question is how does the traffic flow from other App Engine projects to this Cloud SQL instance?

Does the connect handshake go via the internet (ie outside Google's Network) or does google handles the traffic and routes it internally without the request ever going to the internet?

It would be a great help if any one can help answer these questions.

3
google-app-enginegoogle-cloud-sqlunix-socket

3 Answers

1
votes

If you have configured your Cloud SQL to use a Private IP address then connectivity occurs using VPC Network Peering and your communication from your Google App Engine (running inside Google and VPC connected) to your managed Cloud SQL (running on a separated VPC Network) is all internal within Google using VPC.

Details on this can be found in the article here:

1
votes

The answer to this actually varies depending on which version of App Engine you are using.

On older versions of App Engine Standard, the /cloudsql/ unix socket connected over an internal network directly to your instance.

On more recent versions of App Engine Standard, it uses a version of the Cloud SQL proxy to authenticate your connection to the instance via it's public IP. This is why the Connecting from App Engine page states your Cloud SQL instance must have a public IP.

0
votes

The connection from the App Engine Standard to the Cloud SQL instance it is made over the internet. There are more internal services between the App Engine and the Cloud SQL, but the calls are not made to the private IP of the instance, by default.

If you look in the readme of the connector's repository you can see that you can use almost the same method to connect to the Cloud SQL instance from your local env. That might be a clue that things happen on the internet.