Connecting Static IP Cloud Functions to Cloud SQL

0
votes

There are several good answers available for both of these scenarios - but not combined.

1. I need to make a call to an external API via whitelisted static IP.
See: Associating Cloud Function egress with a static IP address
a) call the external API from the Cloud Function
b) route all egress from this Cloud Function through a VPC Connector on vpcnetwork-1 (IP address range = 10.8.10.0/28)
c) use a Cloud NAT that routes all traffic on vpcnetwork-1 through [STATIC IP] (whitelisted by external API)

2. Next, I need to take that API data and send it to a Cloud SQL instance (MySQL in this case).
See: Connecting to Cloud SQL from Cloud Functions
a) create a UNIX socketpath connection to [Cloud SQL Instance]

When I run with the VPC Connector (as shown above), I get:
1) SUCCESS! I've received the API data using my whitelisted IP address
2) CONNECTION REFUSED by [Cloud SQL Instance] - because I'm using a static external IP? Does socketpath use external, or connect within my Google Cloud Project?

If I remove the VPC Connector from my Cloud Function, then I get:
1) CONNECTION REFUSED - this IP is not whitelisted (because I'm no longer using the static IP)
2) SUCCESS! I'm now able to connect to [Cloud SQL Instance] (using UNIX socketpath, userid, password)

How can I get both of these to work from the same Cloud Function?

I see that I can "Route only requests to private IPs through the VPC connector" but I really want the opposite of that. I want to only route external requests to the VPC connector, to use my static IP, and then keep my private routing for connections within my GCP.

ADDED: I am using Javascript mysql to connect to Cloud SQL.

var pool = mysql.createPool({ socketPath: '/cloudsql/[instance_connection_name]',
                              user: uid,
                              password: pwd,
                              database: 'mysql_db' });
var result = pool.query(sql, {}, (err,result)=> {});

This works ok without using a VPC Connector. When I use a VPC Connector with a static external IP address, this connection is refused. Is it because the VPC Connector and Cloud SQL instance are not on the same VPC? I don't think Cloud SQL is linked to a VPC, is it?

1
mysqlgoogle-cloud-platformgoogle-cloud-functionsgoogle-cloud-sqlgoogle-cloud-networking
Can you post the code of connecting from cloud function to clodsql. I wrote an answer how this should be done in python CONNECTING FROM GOOGLE CLOUD FUNCTIONS TO CLOUD SQL USING TCP AND UNIX DOMAIN SOCKETS 2020 - marian.vladoi
You should be able to connect from your cloud function to cloud sql , using vpc connector and internal ip address of your cloud SQL instance (tcp). I have this is my post. - marian.vladoi
@marian.vladoi I am connecting using Javascript mysql var pool = mysql.createPool({ socketPath: '/cloudsql/[instance_connection_name]', user: uid, password: pwd, database: 'mysql_db' }); var result = pool.query(sql, {}, (err,result)=> {}); How can I check if this is using a TCP connection? It works ok when I am not using the VPC connector. When I connect this function through the VPC connector, this connection gives "CONNECTION REFUSED". - Womprat
assuming you did step 9 on my previous answer, creating a service account and assign the right permission to your cloud function, you have to create a cloud sql instance only with internall ip and connect to the internal ip address of the instance, use host:internall_ip_cloudsql instead of socketPath, pay attention on my previous answer and check how i create the database, how I create the service accout, how I create the vpc connector and how I deploy the cloud function, I was able to connect using python - marian.vladoi
your connection string should look like this : var pool = mysql.createPool({ host : '10.36.0.3(internal ip of cloud sql instance)', user : 'root', password : 'root', database : 'guess', port: 3306 }); - marian.vladoi

1 Answers

0
votes

The Cloud SQL Instance Overview dashboard lists both [Public IP Address] and [Instance Connection Name]

For a standard Cloud Functions connection, I use:

socketpath:[Instance Connection Name]
user: uid
password: pwd
database: 'mysql_db'

When using a VPC Connector, I use

host:[Private (or Public) IP Address]
user: uid
password: pwd
database: 'mysql_db'

Summary:

[Cloud Function] -> socketpath:[Instance Connection Name] => **SUCCESS**
[Cloud Function] -> host:[Public IP Address] => **FAIL** (Timeout - IP Not Allowed)

Private VPC Connections:
[Cloud Function] -> [VPC Connector] -> socketpath:[Instance Connection Name] => **FAIL** (Connection Refused)
[Cloud Function] -> [VPC Connector] -> host:[Private IP Address] => **SUCCESS** (Set up Private IP in GCP->SQL->Connections)

Public VPC Connection:
[Cloud Function] -> [VPC Connector] -> host:[Public IP Address] => **SUCCESS** (Only after allowing/whitelisting IP of the VPC Connector routed through Cloud NAT)

Google Cloud CLI instructions for Private IP setup:
CONNECTING FROM GOOGLE CLOUD FUNCTIONS TO CLOUD SQL USING TCP AND UNIX DOMAIN SOCKETS 2020