Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how to connect a private Cloud Data Fusion instance to a
private Cloud SQL instance that hosts a MySQL database. A similar setup
works for Postgres and SQL Server instances.Public connections are possible.
Recommended: For security reasons, use
private instances of Cloud SQL and Cloud Data Fusion.
Create private instances in Cloud Data Fusion and Cloud SQL
To connect to a private Cloud SQL instance from a private
Cloud Data Fusion instance, you use a proxy Compute Engine VM. A proxy
is required because the Cloud SQL network is not directly peered with
the Cloud Data Fusion network, and transitive peers cannot communicate with
each other (see theVPC Network Peering overview).
To create the private instances, follow these steps:
After the instance is created, go to the Cloud SQLInstancespage and expand theInstance details. In theConnect to this
instancesection, copy the IP and the connection name.
To create the VM, you can enter the following commands inCloud Shellor another environment where theGoogle Cloud SDKis installed.
The commands create a VM with both internal and public IP addresses
(--no-addressisn't specified in the sample VM creation command) so that the
VM can access the Container Registry to get the proxy image. You can use internal
IPs, but you also mustenable Private Google Accessfor
the subnet where the VM is located.
Export the following environmental variables:
exportPROJECT=CUSTOMER_PROJECTexportREGION=VM_REGIONexportZONE=`gcloudcomputezoneslist--filter="name=${REGION}"--limit1--uri--project=${PROJECT}|sed's/.*\///'`exportNETWORK=CUSTOMER_VPC_NETWORK_NAMEexportSUBNET=CUSTOMER_VPC_SUBNET_NAMEexportINSTANCE_NAME=COMPUTE_ENGINE_VM_NAMEexportSQL_CONN=SQL_INSTANCE_CONNECTION_NAMEexportCDF_IP_RANGE=CLOUD_DATA_FUSION_IP_RANGEexportVM_IMAGE=$(gcloudcomputeimageslist--project=$PROJECT--filter=family:cos-stable--format='value(selfLink.scope())'--limit=1)exportSQL_PORT=DB_PORT# MySQL 3306 # PostgreSQL 5432 # SQLServer 1433
Replace the following:
CUSTOMER_PROJECT: Your project's name
VM_REGION: The region where the
Compute Engine VM is located
CUSTOMER_VPC_NETWORK_NAME: Your network's name
CUSTOMER_VPC_SUBNET_NAME: Your subnetwork's
name
COMPUTE_ENGINE_VM_NAME: The name of the
Compute Engine VM
SQL_INSTANCE_CONNECTION_NAME: The connection
name from the previous step
CLOUD_DATA_FUSION_IP_RANGE: The IP address
range
DB_PORT: The port number of the
Cloud SQL database
Create a firewall rule to allow Cloud Data Fusion ingress traffic with
the following gcloud CLI command:
Get the IP to be used in Cloud Data Fusion MySQL JDBC connection string
when you set up the connection:
echo${IP}
After the VM is created with a static IP, use the IP as the host or enter it in
the JDBC connection string to access the MySQL database from
Cloud Data Fusion.
Access MySQL from within Cloud Data Fusion
Before you can connect to the MySQL instance from the Cloud Data Fusion
instance, install the MySQL JDBC driver from the Cloud Data Fusion Hub (or
directly fromMySQL community downloads).
Enter the connection details for your MySQL database in
Cloud Data Fusion. You can enter the details and test the connection on
theWranglerpage.
Optional: Other ways to connect to MySQL
You can access MySQL in the following ways in Cloud Data Fusion:
On theStudiopage, click the MySQL source plugin and enter the
connection details.
On theStudiopage, instead use the Database source plugin, which has
similar properties (Connection string,Username,Password, andConnection Arguments).
Other connections
Although connecting private instances is recommended, the following connections
are possible:
A public Cloud Data Fusion instance to a public Cloud SQL
instance (by using a public Cloud SQL proxy or allowlisting the0.0.0.0/0range in an authorized network). See thepublic IP connection optionfor Cloud SQL.
A private Cloud Data Fusion instance and public Cloud SQL
instance (by using a public Cloud SQL proxy in an authorized
network).
A public Cloud Data Fusion instance and a private Cloud SQL
instance.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide explains how to securely connect a private Cloud Data Fusion instance to a private Cloud SQL instance, such as MySQL, using a proxy Compute Engine VM.\u003c/p\u003e\n"],["\u003cp\u003eConnecting private instances of Cloud Data Fusion and Cloud SQL is highly recommended for enhanced security, and requires the use of VPC peering between the Cloud Data Fusion network and your project's VPC.\u003c/p\u003e\n"],["\u003cp\u003eA proxy Compute Engine VM is essential because the Cloud SQL network and Cloud Data Fusion network are not directly peered and cannot communicate transitively.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating private instances in both Cloud Data Fusion and Cloud SQL, setting up a proxy VM with a static internal IP, and configuring firewall rules to allow traffic from Cloud Data Fusion.\u003c/p\u003e\n"],["\u003cp\u003eWhile the document emphasizes private instance connections, it also briefly outlines other connection possibilities, such as using public instances, although these options are less secure.\u003c/p\u003e\n"]]],[],null,["# Connect to a Cloud SQL-MySQL source\n\nThis page describes how to connect a private Cloud Data Fusion instance to a\nprivate Cloud SQL instance that hosts a MySQL database. A similar setup\nworks for Postgres and SQL Server instances. [Public connections are possible](#other-connections).\n| **Note:** [VPC peering](/data-fusion/docs/how-to/create-private-ip#set-up-vpc-peering) is used to connect the Cloud Data Fusion network to your project's VPC. You can connect the Cloud SQL network to your project's VPC using VPC peering or VPN. \n| This page assumes that you're using VPC peering to connect the Cloud SQL network to your project's VPC. If you're using VPN, then don't perform the tasks described on this page. To establish the connection, you can use the internal IP address of the Cloud SQL instance in Cloud Data Fusion.\n\n**Recommended**: For security reasons, use\nprivate instances of Cloud SQL and Cloud Data Fusion.\n\nCreate private instances in Cloud Data Fusion and Cloud SQL\n-----------------------------------------------------------\n\nTo connect to a private Cloud SQL instance from a private\nCloud Data Fusion instance, you use a proxy Compute Engine VM. A proxy\nis required because the Cloud SQL network is not directly peered with\nthe Cloud Data Fusion network, and transitive peers cannot communicate with\neach other (see the [VPC Network Peering overview](/vpc/docs/vpc-peering)).\n\nTo create the private instances, follow these steps:\n\n1. If you don't already have one, [create a private Cloud Data Fusion\n instance](/data-fusion/docs/how-to/create-private-ip). This includes:\n\n 1. Setting up a VPC network\n 2. Allocating an IP range\n2. [Create a private Cloud SQL instance](/sql/docs/mysql/create-instance)\n in the same VPC network as your Cloud Data Fusion instance.\n\n3. After the instance is created, go to the Cloud SQL **Instances**\n page and expand the **Instance details** . In the **Connect to this\n instance** section, copy the IP and the connection name.\n\n [Go to Cloud SQL Instances](https://console.cloud.google.com/sql/instances)\n\nCreate a private Compute Engine VM\n----------------------------------\n\nTo create the VM, you can enter the following commands in\n[Cloud Shell](/shell) or another environment where the\n[Google Cloud SDK](/sdk/docs) is installed.\n\nThe commands create a VM with both internal and public IP addresses\n(`--no-address` isn't specified in the sample VM creation command) so that the\nVM can access the Container Registry to get the proxy image. You can use internal\nIPs, but you also must\n[enable Private Google Access](/vpc/docs/configure-private-google-access) for\nthe subnet where the VM is located.\n\n1. Export the following environmental variables:\n\n export PROJECT=\u003cvar translate=\"no\"\u003eCUSTOMER_PROJECT\u003c/var\u003e\n export REGION=\u003cvar translate=\"no\"\u003eVM_REGION\u003c/var\u003e\n export ZONE=`gcloud compute zones list --filter=\"name=${REGION}\" --limit 1 --uri --project=${PROJECT}| sed 's/.*\\///'`\n export NETWORK=\u003cvar translate=\"no\"\u003eCUSTOMER_VPC_NETWORK_NAME\u003c/var\u003e\n export SUBNET=\u003cvar translate=\"no\"\u003eCUSTOMER_VPC_SUBNET_NAME\u003c/var\u003e\n export INSTANCE_NAME=\u003cvar translate=\"no\"\u003eCOMPUTE_ENGINE_VM_NAME\u003c/var\u003e\n export SQL_CONN=\u003cvar translate=\"no\"\u003eSQL_INSTANCE_CONNECTION_NAME\u003c/var\u003e\n export CDF_IP_RANGE=\u003cvar translate=\"no\"\u003eCLOUD_DATA_FUSION_IP_RANGE\u003c/var\u003e\n export VM_IMAGE=$(gcloud compute images list --project=$PROJECT --filter=family:cos-stable --format='value(selfLink.scope())' --limit=1)\n export SQL_PORT=\u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e # MySQL 3306 # PostgreSQL 5432 # SQLServer 1433\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCUSTOMER_PROJECT\u003c/var\u003e: Your project's name\n - \u003cvar translate=\"no\"\u003eVM_REGION\u003c/var\u003e: The region where the Compute Engine VM is located\n - \u003cvar translate=\"no\"\u003eCUSTOMER_VPC_NETWORK_NAME\u003c/var\u003e: Your network's name\n - \u003cvar translate=\"no\"\u003eCUSTOMER_VPC_SUBNET_NAME\u003c/var\u003e: Your subnetwork's name\n - \u003cvar translate=\"no\"\u003eCOMPUTE_ENGINE_VM_NAME\u003c/var\u003e: The name of the Compute Engine VM\n - \u003cvar translate=\"no\"\u003eSQL_INSTANCE_CONNECTION_NAME\u003c/var\u003e: The connection name from the previous step\n - \u003cvar translate=\"no\"\u003eCLOUD_DATA_FUSION_IP_RANGE\u003c/var\u003e: The IP address range\n - \u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e: The port number of the Cloud SQL database\n2. Create a firewall rule to allow Cloud Data Fusion ingress traffic with\n the following gcloud CLI command:\n\n gcloud compute firewall-rules create allow-private-cdf \\\n --allow=tcp:22,tcp:${SQL_PORT} \\\n --source-ranges=$CDF_IP_RANGE --network=$NETWORK --project=$PROJECT\n\n3. Create the VM with the following gcloud CLI command:\n\n gcloud compute --project=${PROJECT} instances create ${INSTANCE_NAME} \\\n --zone=${ZONE} \\\n --machine-type=g1-small \\\n --subnet=${SUBNET} \\\n --metadata=startup-script=\"docker run -d -p 0.0.0.0:${SQL_PORT}:${SQL_PORT} gcr.io/cloudsql-docker/gce-proxy:latest /cloud_sql_proxy -instances=${SQL_CONN}=tcp:0.0.0.0:${SQL_PORT}\" \\\n --maintenance-policy=MIGRATE \\\n --scopes=https://www.googleapis.com/auth/cloud-platform \\\n --image=${VM_IMAGE} \\\n --image-project=cos-cloud\n\n4. Get the VM internal IP with the following gcloud CLI command:\n\n export IP=`gcloud compute \\\n --project=${PROJECT} instances describe ${INSTANCE_NAME} \\\n --zone ${ZONE} | grep \"networkIP\" | awk '{print $2}'`\n\n5. Promote the VM internal IP to a static IP with the following\n gcloud CLI command:\n\n gcloud compute --project=${PROJECT} addresses create mysql-proxy \\\n --addresses ${IP} --region ${REGION} --subnet ${SUBNET}\n\n6. Get the IP to be used in Cloud Data Fusion MySQL JDBC connection string\n when you set up the connection:\n\n echo ${IP}\n\nAfter the VM is created with a static IP, use the IP as the host or enter it in\nthe JDBC connection string to access the MySQL database from\nCloud Data Fusion.\n\nAccess MySQL from within Cloud Data Fusion\n------------------------------------------\n\nBefore you can connect to the MySQL instance from the Cloud Data Fusion\ninstance, install the MySQL JDBC driver from the Cloud Data Fusion Hub (or\ndirectly from\n[MySQL community downloads](https://dev.mysql.com/downloads/file/?id=462850)).\n| **Note:** In this case, use the general MySQL driver instead of Cloud SQL-MySQL driver.\n\nEnter the connection details for your MySQL database in\nCloud Data Fusion. You can enter the details and test the connection on\nthe **Wrangler** page.\n\n### Optional: Other ways to connect to MySQL\n\nYou can access MySQL in the following ways in Cloud Data Fusion:\n\n- On the **Studio** page, click the MySQL source plugin and enter the connection details.\n- On the **Studio** page, instead use the Database source plugin, which has\n similar properties (**Connection string** , **Username** , **Password** , and\n **Connection Arguments**).\n\n | **Note:** Unlike the MySQL plugins, the Database plugin isn't designed specifically for MySQL connections. You must understand the JDBC string format to add the connection details.\n\nOther connections\n-----------------\n\nAlthough connecting private instances is recommended, the following connections\nare possible:\n\n- A public Cloud Data Fusion instance to a public Cloud SQL instance (by using a public Cloud SQL proxy or allowlisting the `0.0.0.0/0` range in an authorized network). See the [public IP connection option](https://cloud.google.com/sql/docs/mysql/connect-overview#public_ip) for Cloud SQL.\n- A private Cloud Data Fusion instance and public Cloud SQL instance (by using a public Cloud SQL proxy in an authorized network).\n- A public Cloud Data Fusion instance and a private Cloud SQL\n instance."]]
