This page provides an overview of the ways in which you can connect to your Cloud SQL instance.
Before you can connect to a Cloud SQL instance, you need to decide how to deploy and configure your Cloud SQL instance and supporting networking resources. If your Cloud SQL instance is already configured and deployed, then this page can help you understand the different ways that you can connect your clients to the existing instance.
IP address type: private or public
When you first create your Cloud SQL instance, you can choose whether to configure the instance with a public IP address , a private IP address , or a combination of both .
You choose the IP address configuration of your instance based on your application requirements. Then after you configure your instance, you specify either a public IP address, a private IP address, or in some cases a DNS name in your client connection string.
Do you need to connect from clients hosted on VPC networks inside Google Cloud or from clients that have access to those VPC networks?
If yes, then choose a private IP address for the instance.
Do you need to connect from clients outside the Google Cloud VPC network over the public internet?
If yes, then choose a public IP address for the instance.
The following types of private networking configurations are supported:
- Private services access : connect to Cloud SQL instances from a single VPC network based on networking peering.
- Private Service Connect : connect to Cloud SQL instances from multiple VPC networks that belong to different groups, projects, or organizations.
For more information about choosing a private networking configuration, see Private networking options: private services access or Private Service Connect .
When you connect directly to an instance using a public IP address, you must configure authorized networks .
Another more secure alternative for connecting to a Cloud SQL instance that uses public IP is to use a Cloud SQL connector (such as the Cloud SQL Auth Proxy or one of the Cloud SQL Language Connectors).
For instructions about adding a public IP to your instance, see Configure public IP .
To connect to a Cloud SQL instance using a public IP address,
you can use the psql
client
or another available client.
Recommendation : For improved security, we recommend that you configure your instance with a private IP address type unless you have specific requirements for an internet-accessible Cloud SQL instance, or if you're connecting from a client that doesn't meet the requirements for a VPC.
Connection type: Cloud SQL connector or direct
When you make the connection to a Cloud SQL instance, you can use a Cloud SQL connector, or you can make a direct connection.
A Cloud SQL connector is either the Cloud SQL Auth Proxy or one of the Cloud SQL Language Connectors .
Cloud SQL connectors are beneficial in the following scenarios:
- When you want to connect to a Cloud SQL instance using a public IP address without having to configure authorized networks .
- When you want to encrypt traffic to and from the database automatically with server and client identity verification without having to manage SSL certificates.
- When you're using IAM database authentication and want to refresh your OAuth 2.0 access tokens automatically.
- When you're connecting from a client or application that uses a dynamically assigned or ephemeral IP address. Dynamic IP configuration can be common for Platform as a Service (PaaS) applications.
Using a direct connection provides the following benefits:
- Lower latency compared to connections using Cloud SQL connectors.
- No additional package or library dependency unlike Cloud SQL connectors.
- When you use a direct connection, you're responsible for configuring the SSL/TLS settings.
- Cloud SQL Auth Proxy , or
- Cloud SQL Language Connectors, including
- Cloud SQL Java connector
- Cloud SQL Python connector
- Cloud SQL Go connector
- Cloud SQL Node.js connector
The following Google Cloud services use an embedded Cloud SQL Auth Proxy when you connect to a Cloud SQL instance over public IP address:
To configure SSL/TLS certificates on the Cloud SQL instance and for your client, do the following:
- Choose a server CA mode for your instance .
- Configure your instance to enforce SSL/TLS encryption for connections on the instance .
- Create client certificates.
- Download your server and client certificates.
When you connect to a Cloud SQL instance, you can use either a Cloud SQL connector, or connect directly from clients.
General recommendation : If you're connecting to an instance by a private IP address , use a direct connection. We also recommend that you enforce SSL and configure SSL/TLS certificates for your connection.
If you're connecting to an instance by a public IP address , use a Cloud SQL connector (either the Cloud SQL Auth Proxy or one of the Cloud SQL Language Connectors).
Database authentication type: IAM or built-in
When you connect to an instance, you must authenticate as a database user. You can choose between built-in authentication or IAM database authentication .
You can use IAM database authentication for individual IAM users, individual service accounts, and groups. For more information, see use Manage users with IAM database authentication .
If you use a Cloud SQL connector, then the connector handles the automatic refresh of the IAM access tokens. For more information, see automatic IAM database authentication .
Private networking options when using a private IP address
When you configure your instance to use a private IP address, you can choose the following private networking options: private services access, Private Service Connect, or both.
Supported features
The following table lists the features that Cloud SQL supports when you connect to an instance that's configured with one or both of the private networking options.
| Feature | Instance with private services access only | Instance with Private Service Connect only | Instance with both private services access and Private Service Connect |
|---|---|---|---|
|
Connect from multiple VPCs
|
Not supported. | Supported. | Supported by using the Private Service Connect endpoint. |
| Supported. | Not supported. | Supported by using outbound connectivity for private services access. | |
| Supported. | Not supported. | Supported by using outbound connectivity for private services access. | |
| Supported. | Not supported. | Supported for private services access. | |
| Supported. | Not applicable. | Not supported for private services access because the instance has Private Service Connect enabled for it. Not applicable for Private Service Connect. | |
|
Visibility of the client IP address to Cloud SQL
|
Supported. | Not supported. | Supported by using the private services access IP address. Not supported by using the Private Service Connect endpoint. |
Remove networking options from an instance
Cloud SQL supports the removal of the following networking options from an instance:
- Public IP from an instance with both private services access and public IP
- Public IP from an instance with public IP, private services access, and Private Service Connect
- Private Service Connect from an instance with both Private Service Connect and private services access
- Private Service Connect from an instance with Private Service Connect, private services access, and public IP
Enable networking options for an instance
You can enable Cloud SQL supports enabling the following connection options for instances:
- Private services access on an instance with public IP only
- Private Service Connect on an instance with private services access only
- Private Service Connect on an instance with both private services access and public IP
- Public IP on an instance with private services access only
Limitations
- You can't create an instance with both a public IP address and Private Service Connect.
- You can't remove private services access from an instance with private services access and Private Service Connect.
- You can't remove private services access from an instance with private services access and public IP.
- If you have an instance that uses only public IP, then you can't enable both private services access and Private Service Connect at the same time. First, enable private services access, and then enable Private Service Connect.
- You can't use authorized networks to do IP address-based allowlisting for Private Service Connect instances.
Tools for connecting to Cloud SQL
The following table contains some options for connecting to Cloud SQL:
Troubleshoot
If you're having problems connecting, then check the following pages for help debugging or finding solutions to known issues:
- Debugging connection issues
- Known connectivity errors
- Troubleshooting Cloud SQL Auth Proxy connection
- Common connection issues
What's next
- Learn how to connect with the Quickstart for Cloud SQL for postgres .
- Learn best practices for managing database connections .
- Learn about IAM database authentication .
- Learn about connecting using a psql client from a local machine or Compute Engine .
- Learn about configuring IP connectivity .
- Learn about the Cloud SQL Auth Proxy .
- Learn about options for support .
