Cannot access google cloud SQL from google container engine

Asked 5/6, 2015 at 11:50 Answered 9/6, 2015 at 13:1

Solved google-cloud-sql google-kubernetes-engine

I'm still having problems accessing the cloud SQL instance from a GCE container. When I try to open up mysql, I get the following error:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial 
                    communication packet', system error: 0

The connection works fine from my local machine, though (The instance has a public IP and I have added my office's IP to the 'allowed Networks'). So, the instance is accessible through the internet just fine.

I guess the db's access control is blocking my access from the gce network, but I'm unable to figure out how to configure this.

I added my project to "Authorized App Engine Applications" in the Cloud SQL control panel, but that doesn't seem to help.

EDIT: If I add "0.0.0.0/0" to Allowed Networks, all works well. This is obviously not what I want, so what do I need to enter instead?

EDIT2: I could also add all public IPs from my kubernetes cluster (obtained through gcloud compute instances list) and add them to the cloud sql access list manually. But, this doesn't seem to be right, does it?

Cystotomy answered 5/6, 2015 at 11:50 Comment(1)

Hi, I have a same problem. How did you deal with it? I think the google cloud sql does not allow ip from google container engine, then where to add the ip? And add which ip? – Confrere 18/11, 2015 at 3:36

The recommended solution is to use SSL connection with that 0.0.0.0/0 CIDR. This is to limit the connection to the correct key. I also read that they won't promise you a specific IP range so the CIDR /14 might not work some times. I had to do the SSL connection with my Cloud SQL for the same reasons.

Limicolous answered 9/6, 2015 at 13:1 Comment(4)

Ah, I didn't see this article. Thanks. – Cystotomy 9/6, 2015 at 15:5

If create pem follow that tutorial. Then how to use it? – Confrere 18/11, 2015 at 3:34

That depends on how you need to use it. Probably need a bit more info than that. – Limicolous 18/11, 2015 at 15:5

I have asked a same question here: #33773948 ,at the DATABASE_URL I am using a full string connect format. Then how to add --ssl-ca, --ssl-cert, and --ssl-key options? – Confrere 19/11, 2015 at 1:14

You should use the public IP addresses of the GCE instances to correctly allow traffic to your Cloud SQL instance (as you mentioned in EDIT2).

You can find more information in Cloud SQL documentation: https://cloud.google.com/sql/docs/gce-access

Unfit answered 8/6, 2015 at 12:49 Comment(1)

Yes, that would work. The catch is that I think I'd like to have ephemeral IPs on the single nodes. That's at least the default when creating a container engine cluster. Also, I would need a static IP for each and every node in the cluster as well. But oh well, container engine (and kubernetes) seem to be cutting edge, so I guess I have to live with some of this. It's just bugging me a little... – Cystotomy 8/6, 2015 at 15:39

If you add the /14 CIDR block for your Container Engine cluster as the source address range does that work?

To find the CIDR block for your cluster, click on the cluster name in the Google Cloud Console and find the row labeled "Container address range".

Ascogonium answered 7/6, 2015 at 5:18 Comment(2)

Thanks for your suggestion. Unfortunately, it doesn't even let me enter it. Says "Private networks cannot be whitelisted". – Cystotomy 7/6, 2015 at 12:49

I can create a firewall rule that uses 10.0.0.0/8 or 10.28.0.0/14 as the source range. – Ascogonium 10/6, 2015 at 8:1

Recommended topics

Hot tags