1
votes

Based on my current understanding, when I enable a service connection to my Cloud SQL instance in one of my revisions, the path /cloudsql/[instance name]/.s.PGSQL.5432 becomes populated. This is a UNIX socket connection.

Unfortunately, a 3rd party application I'm using doesn't support UNIX socket connections and as such I'm required to connect via TCP.

Does the Google Cloud SQL Proxy also configure any way I can connect to Cloud SQL via something like localhost:5432, or other equivalent? Some of the documentation I'm reading suggests that I have to do elaborate networking configuration with private IPs just to enable TCP based Cloud SQL for my Cloud Run revisions, but I feel like the Cloud Proxy is already capable of giving me a TCP connection instead of a UNIX socket.

What is the right and most minimal way forward here, obviously assuming I do not have the ability to modify the code I'm running.

I've also cross posted this question to the Google Cloud SQL Proxy repo.

1
AFAIK your PostgreSQL client software can directly talk to Cloud SQL public IP whitelisted addresses and bypass the Cloud SQL Auth Proxy. The security risk is the SQL instance will be open to the Internet. Cloud Run does not have a static IP address. You can configure Cloud Run VPC egress thru your VPC network with Cloud NAT to provide a fixed IP address for whitelisting. Another method is to use a Serverless VPC Access connector to Cloud SQL private IP. cloud.google.com/sql/docs/postgres/connect-run#private-ipJohn Hanley
Yeah, so I'm aware of these instructions, but I find them very confusing in terms of what exactly is necessary and what's being done. There are lots of pieces that seem to need setup, but no real explanation as to what each is doing or what the overall topology is. Is there anywhere that explains it better than their documentation?Alexander Trauzzi
The simplest and probably the best solution is the improve the client to support Cloud Run. Otherwise, you will need to invest time to learn the more advanced configuration features of Google Cloud. Sometimes, there are no shortcuts.John Hanley

1 Answers

3
votes

The most secure and easiest way is to use the private IP. It's not so long and so hard, you have 3 steps

  1. Create a serverless VPC connector. Create it in the same region as your Cloud Run service. Note the VPC Network that you use (by default it's "default")
  2. Add the serverless VPC Connector to Cloud Run service. Route only the private IPs through this connector
  3. Add a private connection to your Cloud SQL database. Attached it in the same VPC Network as your serverless VPC Connector.

The Cloud configuration is over. Now you have to get the Cloud SQL private IP of your instance and to add it in parameters of your Cloud Run service to open a connection to this IP.