This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

how to secure the connection between bigquery and cloudsql

Posted on 10-10-2022 07:35 PM
papael
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

I'd like to ask, I have a condition that I want to use BQ feature to make some query into my cloudsql instance, but as I know from couple of literature, BQ is a public endpoint which is outside.

I have to open my cloudsql to the internet (port postresql and IP address). One way to secure both connection is restrict the access from BQ toward cloudsql in VPC network rule, but no idea, I dont know bigquery IP address/network.

Is there anyone here to help my case? or if any other best way suggest to me? Thanks in advance!

0 5 2,925
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
RC1
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

@papael 


Check out this  https://cloud.google.com/bigquery/docs/cloud-sql-federated-queries#public_ip

---------------------------------------------------------------------------------------------------------------------------

BigQuery Cloud SQL federation only supports Cloud SQL instances with public IP connectivity. Configure public IP connectivity for your Cloud SQL instance.

To secure your Cloud SQL instances, you can add public IP connectivity without an authorized address. This method makes your instance inaccessible from the public internet but accessible to query from BigQuery.

 

0 Likes

Posted on --/--/---- --:-- AM
Andre_Fiesco
Staff
Reply posted on --/--/---- --:-- AM

Have you tried using Private services access? The private connection enables VM instances in your VPC network and the services that you access to communicate exclusively by using internal IP addresses.  This way, the connection will be internal and will not have outside connections. VM instances don't need Internet access or external IP addresses to reach services that are available through private services access.      

Here is more information that can be useful for understanding the Private services access

Posted on --/--/---- --:-- AM
MichiGPA
Bronze 1
Bronze 1
In response to Andre_Fiesco
Reply posted on --/--/---- --:-- AM

 Private services access is useful while connecting from VPC (Vms) , but the question is how to connect securely (private access) from managed services like BigQuery

Posted on --/--/---- --:-- AM
totoleon
Staff
Reply posted on --/--/---- --:-- AM

I believe it's recently supported now. According to https://cloud.google.com/bigquery/docs/connect-to-sql#create-sql-connection

To let BigQuery access Cloud SQL data over a private connection, configure private IP connectivity for a new or an existing Cloud SQL instance, and then select the Private path for Google Cloud services checkbox. This service uses an internal direct path instead of the private IP address inside of the Virtual Private Cloud.

So if you enable this flag on the Cloud SQL instance, BigQuery should be able to connect to it without a public IP.

Posted on --/--/---- --:-- AM
DataEngineer_1
Bronze 3
Bronze 3
In response to totoleon
Reply posted on --/--/---- --:-- AM

Hi, 

Thanks for sharing the Private IP option. Can I check if we are able to connect to a CloudSQL inside one GCP Project from a BigQuery in a different GCP Project?

Or this would need some sort of VPC peering to be enabled?