Accessing Cloud SQL from another GCP project
Asked Answered
D

1

16

I want to connect to Cloud SQL from a different GCP project.

Cloud SQL is location in ProjectSQL and a VPC network is there in ProjectSQL project with name sql_vpc

There is another project ProjectDataflow and this has a vpc dataflow_vpc. I want to connect to cloudSQL from ProjectSQL with the VM launched in ProjectDataflow project

Things I have tried with success and failure.

Private ACCESS:

VPC Peering:

Enable Private IP access in Cloud with the vpc sql_vpc
Creating VPC peering between dataflow_vpc and sql_vpc
This solution does not work because you can not access the Peered Network.
https://cloud.google.com/sql/docs/mysql/private-ip
Status: FAILED

Shared Network

As per doc I can create the CloudSQL in shared VPC network, that says I 
have to create the CloudSQL in host project, and to access the Cloud 
SQL from  VM instance, it has be in the same network as of authorized 
private ip network of Cloud SQL
Status: NOT TRIED but looks to be Negative

Public Access:

Create a Cloud NAT in ProjectDataflow with dataflow_vpc with manual IP
Use the Cloud NAT public ip to whitelist in CloudSQL instance
Now I can access the CloudSQL from project ProjectDataflow using CloudSQL Public IP
STATUS: Success

Please share your experience accessing Cloud SQL from another project. Is there any best practice to connect cloud SQL from another gcp project?

Downrange answered 24/6, 2019 at 18:27 Comment(0)
B
13

EDIT:

Newer instances seem to be having this option enabled by default and there's no need to contact support anymore. However, if after all the process, the setup is still not working, it may be needed to contact support.

IMPORTANT: The VPC peering option will not work anymore, as stated in the documentation, more precisely in the Considerations topic. Then the only available option to achieve it is using Shared VPCs

The process of interconnecting a Cloud SQL with another GCP project it is pretty straightforward following the documentation. The only thing you need to take into consideration in order to make it work is that you will have to request Google Cloud Support to enable custom routes for your Cloud SQL speckle umbrella instance in which your Cloud SQL is running under otherwise you won’t be able to access your Cloud SQL within your GCP project.

The following steps will work for you:

-Configuring VPC for Cloud SQL instance

Inside the project where you have your Cloud SQL instance, create a VPC network with the ip address range of your desire. Choose the same zone for the VPC in which your instance is located.

-Configuring VPC for GCP project

Now switch to the project where your CloudDataflow instance is located and follow the same process. Create the VPC network being careful that the IP ranges do not collide between each other. You can use the following tool to check if the IP addresses range collide. Also take into consideration that both VPC networks must be in the same zone.

-Connecting VPC of both projects with peering

Once both VPC networks are created it is needed to configure the VPC network peering from both projects. From the Cloud SQL instance side, configure the peering specifying the project and VPC network name to connect with and also select the option to export custom routes. This way the other part of the peering, in this case your GCP project, will have visibility of your Cloud SQL instance. Now, from the GCP project side, configure the peering specifying the Cloud SQL project name and the VPC network name to connect with. The same way we did with the Cloud SQL peering, we have to set up the peering to import custom routes as it will receive exported routes coming from the other side of the connection, which in our case is your Cloud SQL instance.

Here you can check more information about importing and exporting routes between any VPC network peerings.

-Request Google Cloud Support to enable for you the exchange custom routes for your Cloud SQL

Reach Google Cloud Support and ask them to enable the exchange of custom routes for your speckle-umbrella VPC network associated with your instance that is automatically created upon the Cloud SQL instance is created.

Take into consideration that this last step is very important, all SQL projects run under the umbrella project, hence without requesting Google Cloud Support to enable the exchange custom routes for your instance this will never work.

Shared VPC

As for Shared VPC, the only thing you need to take into consideration is that you need to enable the option once creating your Cloud SQL instance as you can’t add it afterwards.

You will find a configuration guide for Shared VPC in the following link.

Blindage answered 25/6, 2019 at 15:46 Comment(7)
Thanks for the detailed Answer. 1. For peering side , I understand that peered network can't talk to sibling peered network. The key point I noticed and as you explained is we can talk to cloud sql VPC network by exporting and importing routes and raising request to google cloud support team to enable that. 2. Shared VPC, might not be a good solution for my case because I have production Database running 3. What i used is, I created a Cloud NAT in client project and used the Cloud NAT public ip to whitelist inside the Cloud SQL.Downrange
You solution look good to be but I feel like this feature should be available without intervention of Support Team.Downrange
For now, the Google Cloud Platform Support intervention it is needed as the feature is still in beta. Once the importing and exporting custom routes for VPC peering feature hits General Availability in some months, the procedure will change and the intervention won’t be needed. That’s also because Cloud SQL it’s in General Availability so things don’t get messed up and problems start arising in the product. You can see the [beta tag] in one of the previous links i shared with you. Happy to help, if this answer or any other one solved your issue, please consider marking it as accepted.Blindage
Thanks, Looking forward to see this feature in GADownrange
If you want to open a Private Issue to Google Cloud SQL product team to ask them to enable your custom routes for Cloud SQL, you can use the following link : issuetracker.google.com/issues/new?component=491274 . As this is private, you can safely enter the information required. Please be careful that it is needed the project number, not the ID neither the name. Also please mention my stackoverflow username so I can keep track of the issue.Blindage
Is there a way to access Cloud SQL from another project just using Service Account created in the same IAM as the Cloud SQL?Northington
You need to give permissions to that Service Account in the external project, that way this SA will be able to execute actions in a different project from where it was created.Blindage

© 2022 - 2024 — McMap. All rights reserved.