Confusion Around Creating a VPC Access Connector

Asked 3/1, 2020 at 16:56 Answered 27/10, 2023 at 19:59

google-cloud-platform cloud google-cloud-sql vpc

I am trying to set up Serverless VPC access

Serverless VPC Access enables you to connect from your Cloud Functions directly to Compute Engine VM instances, Memorystore instances, Cloud SQL instances,

Sounds great. But the documentation is not super friendly to a beginner. Step 2 is to create a connector, about which I have a couple of questions:

In the Network field, select the VPC network to connect to.

My dropdown here contains only "Default". Is this normal? What should IO expect to see here?

In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

I don't know what to do here. I tried using the information in the linked document to first) enter an IP from the region I had selected, and, second) enter an IP from outside that region. Both resulted in connectors that were created with the error. "Connector is in a bad state, manual deletion is recommended"

The documentation continues with a couple of troubleshooting steps if the creation fails:

Specify an IP range that does not overlap with any existing IP address reservations in the VPC network.

I don't know what this means. Maybe like, if I have other connectors I should be sure the IP range for the new one doesn't overlap with those. That's just a guess, but anyway I have none.

Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.

This leads me to another document about updating my organization's "Image Policy". This one has me so out of my depth, I don't even think I should be here.

This has all started with just wanting to connect to a SQL Server instance from Firebase. Creating the VPC connector seems like a good step, but I've just fallen at every hurdle. Can a cloud-dweller please help me with a few of these points of confusion?

Hypnotherapy answered 3/1, 2020 at 16:56 Comment(11)

Might this help ... the-swamp.info/blog/… – Tracytrade 3/1, 2020 at 21:9

@Tracytrade Yes that is pretty helpful. However I think I'm a little bit confused about the private IP bit. When I try to select that under GCP=>SQL=>Connections=>Check box for Private IP, I thought I would be shown a private IP I could connect to. However that's not the case. It's just saying "This instance will use the existing managed service connection". Which I thought, okay maybe it means, go ahead and use your old public IP, but that doesn't work either. Any ideas there? – Hypnotherapy 3/1, 2020 at 23:14

@Tracytrade I tried using the IP used when I created the connector, but that does not work either :/ – Hypnotherapy 3/1, 2020 at 23:21

I ran through some tests. I create a MySQL DB and asked it for a private IP. I got an RFC1917 IP. No issues there. All seems to work. I'm not sure about your issue ... I'm not seeing one. I think it is important that you get VPC Networking under your belt. This is GCP logical networking. Think of it as a software network that your Compute Engines and Cloud SQL instances have their IP addresses upon. This is a private network. Your goal will be that your Cloud Function will eventually be able to route traffic onto it and hence your DB will be private (no Internet/public). – Tracytrade 4/1, 2020 at 2:9

@Tracytrade Thanks for doing that. Checking back on this after a quick nap, it seems that it just took a while for the new private IP to show up in my instance's Overview page. All of these operations have taken a long time to run, and I guess that in particular was super slow, but now my VPC tether works! Thank you! As far as I think it is important that you get VPC Networking under your belt I agree that I have a pretty loose understanding of the concepts that have led me here. Do you have any reading you would recommend to shore up this knowledge? Thanks again so much. Cheers. – Hypnotherapy 4/1, 2020 at 2:37

There are some good books on GCP, the docs are also pretty good. I'm also a big fan of the GCP section of medium (medium.com/google-cloud). The online courses at Cousera (coursera.org/programs/google-specialization) is where I spent a lot of time. Also, your questions are great and if you keep them coming, all will attempt to respond. Like all our other areas, nothing comes immediately and the only way is to read and plug at it. Oh ... also the GCP channel on You Tube ... youtube.com/user/googlecloudplatform – Tracytrade 4/1, 2020 at 4:23

HI I've been through all these steps but my connector still results in a bad state if I try to add it to my specific network -- if I just select 'default' there it will be able to create the connector but otherwise always results in the same bad state. – Vivienne 10/6, 2020 at 16:44

@Vivienne You ever figure this out? Having the same issue – Manno 2/7, 2020 at 6:1

@Manno yes -- i have no idea what i configured but it was something with my subnet configuration, here's a screenshot of my settings: i.imgur.com/yGo3iIT.png – Vivienne 2/7, 2020 at 12:50

@Vivienne Hmm, theres not many options in subnet config and mine looks like yours... mind sending what your VPC access connector looks like? Or maybe its your configuration of the main vpc network that fixed it? – Manno 2/7, 2020 at 20:21

@Vivienne I fixed it... yep it was my subnet, I made a new one with a range of 10.0.0.0/20 instead of 10.0.0.0/8 – Manno 2/7, 2020 at 20:50

I think you've resolved the issue but I will write an answer to summarize all the steps for future reference.

1. Create a Serverless VPC Access

I think the best reference is to follow the steps in this doc. In step 7, it says the following:

In the IP range field, enter an unreserved CIDR /28 IP range.

The IP you can use is for example 10.8.0.0/28 or even 10.64.0.0/28 with the condition it is not in use for any other network. You can check which IPs are in use going to VPC Network > VPC networks. In the Network field you will have the "default" option so it's okay.

This can take some minutes, so in the meantime you can create your SQL Server/MySQL/PostgreSQL instance.

2. Creating a CloudSQL instance

Create your desired instance (MySQL/PostgreSQL/SQL Server). In your case it will be a SQL Server instance. Also check these steps to configure the Private IP for your instance at creation time or if you have created an instance you can check this. Take note of the Private IP as you will use it later.

3. Create a Cloud function

Before creating your Cloud Function, you have to grant permission to the CF service account to use the VPC. Please follow these steps.

Then follow these steps to configure the connector of your function to use the VPC. In step 5 it says the following:

In the VPC connector field, enter the fully-qualified name of your connector in the following format:
projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME

It is not necessary to add your VPC with this format. There is already a list where you can choose your VPC. Finally deploy your function.

I wrote a little function to test the connection. I would prefer to use Python but it needs more system dependencies than NodeJS.

index.js:

var express = require('express');
var app = express();
var sql = require("mssql");

exports.helloWorld = (req, res) => {
    var config = {
        user: 'sqlserver',
        password: 'password',
        server: 'Your.SQL.Priavte.IP', 
        database: 'dbname' 
    };

    // connect to your database
    sql.connect(config, function (err) {
        if (err) console.log(err);

        // create Request object
        var request = new sql.Request();
           
        // query to the database and get the records
        request.query('select * from a_table', function (err, recordset) {
            if (err) console.log(err)

            // send records as a response
            res.send(recordset);
        });
    });
};

package.json:

{
  "name": "sample-http",
  "version": "0.0.1",
  "dependencies": {
    "express": "4.17.1",
    "mssql": "6.0.1"
  }
}

And that's all! :D

It's important to mention that this procedure is more about connecting Cloud Functions to SQL Server as there is already an easier way to connect CF to PostgreSQL and MySQL.

Cup answered 4/1, 2020 at 4:10 Comment(4)

Hi , when I am selecting the asia-south1 region it always give the bad state error. however I was able to create one when I selected us-central1 region. Any solution? – Interblend 29/7, 2020 at 15:44

@Interblend Were you able to solve the issue? Apparently everyone in this region is having an issue. – Corvin 23/9, 2020 at 19:27

And the issue with this region is still going on. Did anyone found the solution? – Experimentation 8/1, 2021 at 1:37

I discovered that there exists a hard limit on how many IP you can use for such connectors. You can increase quota or you can switch to other region. Hard limit on IP are imposed by quota on the free tier https://console.cloud.google.com/iam-admin/quotas.

When not in free tier, you can request an increment on quota.

Immensity answered 16/1, 2023 at 10:0 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Niagara 18/1, 2023 at 17:30

In my case, I needed to add projects/serverless-vpc-access-images to

https://console.cloud.google.com/iam-admin/orgpolicies/compute-trustedImageProjects

as we were enforcing whitelisting of image projects.

Once I added that, I was able to create a VPC Connector.

Chip answered 27/10, 2023 at 19:59 Comment(0)

Recommended topics

Hot tags