TechQA.

Connect to the CloudSQL Postgres from different project

410 views Asked by At

I'm going to connect from the instance in Project-A(custom VPC) with CloudSQL Postgres in Project-B(default VPC). Documentation says that I need to peer these two VPC. The peering status in the "Active" state. In Project-A I also have cloudsql_auth_proxy. Once I execute cloudsql_auth_proxy, I get this:

root@cloudsql-auth-proxy:~# ./cloud_sql_proxy -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:46:59 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.

2022/12/29 16:47:01 Listening on 0.0.0.0:5432 for -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:47:01 Ready for new connections

2022/12/29 16:47:01 Generated RSA key in 244.541948ms

When I try to connect to the cloudsql_proxy like this psql -h xxx.xxx.xxx.xxx -p 5432 -U proxyuser -d postgres it hangs.

The output of cloudsql_auth_proxy looks like this:

2022/12/29 16:48:00 New connection for "-instances=projectB:us-west1:postgres"

2022/12/29 16:48:00 refreshing ephemeral certificate for instance -instances=projectB:us-west1:postgres

2022/12/29 16:48:00 Scheduling refresh of ephemeral certificate in 55m0s
: dial tcp 10.35.144.3:3307: connect: connection timed out

Any thoughts about this?

google-cloud-platform google-cloud-sql cloud-sql-proxy vpc-peering
Original Q&A
2

There are 2 answers

1
enocom On

You'll need to deploy a Socks5 proxy in Project B VPC to provide a network path between VPCs. Dante is a popular choice.

Once you have a Socks5 proxy running, you can launch the Proxy pointing at it.

See https://github.com/GoogleCloudPlatform/cloud-sql-proxy#running-behind-a-socks5-proxy.

6
LaurentDumont On

If you are looking at cross VPC CloudSQL traffic in 2023, look at PSC for CoudSQL - only works with Mysql and Postgres

https://cloud.google.com/blog/products/databases/private-service-connect-with-managed-databases

I think you might have posted this on the GCP subreddit too! :P

To expand on @enocom answer with some diagrams.

For reference : potatoes-are-great-they-dont-care-about-transitivity

  1. VPC non-transitivity in GCP makes this a bit awkward.
  2. I am a bit puzzled by a GCP design that would require running two extra GCE constructs + a socks proxy + a cloud_sql_auth proxy. That's a lot of bits to interconnect GCP native services like CloudSQL and Datastream.
  3. I don't think I can remove any of the current pieces. If we remove vm-002, Datastream won't be able to reach vm-001 due to the lack of transitivity.

Reference Dante config to remove the authentication from the socks proxy. Don't do this in prod - just for the sake of simple test ;)

  1. In /etc/danted.conf
  2. systemctl restart danted.service
  3. systemctl status danted.service
logoutput: syslog
clientmethod: none
socksmethod: none


# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens4

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-SQL

Related Questions in CLOUD-SQL-PROXY

Related Questions in VPC-PEERING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions