1

I'm going to connect from the instance in Project-A(custom VPC) with CloudSQL Postgres in Project-B(default VPC). Documentation says that I need to peer these two VPC. The peering status in the "Active" state. In Project-A I also have cloudsql_auth_proxy. Once I execute cloudsql_auth_proxy, I get this:

root@cloudsql-auth-proxy:~# ./cloud_sql_proxy -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:46:59 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.

2022/12/29 16:47:01 Listening on 0.0.0.0:5432 for -instances=projectB:us-west1:postgres=tcp:0.0.0.0:5432

2022/12/29 16:47:01 Ready for new connections

2022/12/29 16:47:01 Generated RSA key in 244.541948ms

When I try to connect to the cloudsql_proxy like this psql -h xxx.xxx.xxx.xxx -p 5432 -U proxyuser -d postgres it hangs.

The output of cloudsql_auth_proxy looks like this:

2022/12/29 16:48:00 New connection for "-instances=projectB:us-west1:postgres"

2022/12/29 16:48:00 refreshing ephemeral certificate for instance -instances=projectB:us-west1:postgres

2022/12/29 16:48:00 Scheduling refresh of ephemeral certificate in 55m0s
: dial tcp 10.35.144.3:3307: connect: connection timed out

Any thoughts about this?

Improve this question
2
  • You can't connect to a Cloud SQL instace by using a VPC peering. Read stackoverflow.com/questions/72171009/… Commented Dec 29, 2022 at 19:16
  • Non transitive VPC peering make the link impossible. Use a shared VPC or..... a VPN (to peer the 2 VPC), yes, a VPN... Commented Dec 29, 2022 at 21:22

2 Answers 2

Reset to default
1

You'll need to deploy a Socks5 proxy in Project B VPC to provide a network path between VPCs. Dante is a popular choice.

Once you have a Socks5 proxy running, you can launch the Proxy pointing at it.

See https://github.com/GoogleCloudPlatform/cloud-sql-proxy#running-behind-a-socks5-proxy.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So basicaly I'm trying to configure Datastream to enable streaming data from CloudSQL to the BigQuery. Our CloudSQL instance in the project-A, Datastream in the project -B. Project-A has vpc-A which is peered with vpc-B in the Project-B. vpc-A has cloudsql_auth proxy and I'm able to ping or login to this database via cloudsql_auth_proxy using psql from VPC-B(Project-B) but I'm not able to connect to the cloudsql_auth_proxy from the Datastream. I need to be able to connect Datastream(Project-A) to the CloudSQL(Project-B) using private connection Thank you!
0

If you are looking at cross VPC CloudSQL traffic in 2023, look at PSC for CoudSQL - only works with Mysql and Postgres

https://cloud.google.com/blog/products/databases/private-service-connect-with-managed-databases

I think you might have posted this on the GCP subreddit too! :P

To expand on @enocom answer with some diagrams.

For reference : potatoes-are-great-they-dont-care-about-transitivity

  1. VPC non-transitivity in GCP makes this a bit awkward.
  2. I am a bit puzzled by a GCP design that would require running two extra GCE constructs + a socks proxy + a cloud_sql_auth proxy. That's a lot of bits to interconnect GCP native services like CloudSQL and Datastream.
  3. I don't think I can remove any of the current pieces. If we remove vm-002, Datastream won't be able to reach vm-001 due to the lack of transitivity.

Reference Dante config to remove the authentication from the socks proxy. Don't do this in prod - just for the sake of simple test ;)

  1. In /etc/danted.conf
  2. systemctl restart danted.service
  3. systemctl status danted.service
logoutput: syslog
clientmethod: none
socksmethod: none


# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens4

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}
Improve this answer

6 Comments

Yeah! Thank you for the response, I appreciate your help. I did everything as this diagram shows and when I run ALL_PROXY=socks5://10.138.0.13:1080 ./cloud_sql_proxy -instances=mega-project-34522:us-west1:datastream-test=tcp:0.0.0.0:5432 -credentials_file=credentials.json I got this errors 2023/01/13 20:30:44 couldn't connect to "mega-project-34522:us-west1:datastream-test": socks connect tcp 10.138.0.13:1080->10.35.144.3:3307: no acceptable authentication methods
Ah yes, you can remove the authentication layer from Dante to test it out. I added a config snippet in the main post.
That works! Thank you so much, I appreciate your help! I was stuck on this projectfor 2 weeks...
No problem! VPC transitivity and GCP native services interconnections is a bit challenging.
I'm considering to deploy danted5 on kubernetes in project A. I already have docker image. I want to deploy this image but i don't know how to expose it like static private IP address to use it in cloudsql_auth_proxy in project B
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.