Can't start, delete CloudSQL with VPC

M-Shunsuke · 03-17-2025 08:17 PM

Hello,
I'm tried to set up CloudSQL PostgreSQL with a VPC, and now I want to delete it. However this instance has deletion protection enabled = true, so I need to start it first to disable this setting.
When I try to stat the instance, I got the following error

ERROR: (gcloud.sql.instances.patch) [ERROR_SN_SUBNET_CREATION_FAILURE] Failed to create subnetwork. Instance is missing Shared VPC Host Network. Service Networking API addSubnetwork has to be called first. Learn more: https://cloud.google.com/sql/docs/mysql/troubleshooting#creating-instances

I tried to do from terraform, and gcloud command like "gcloud sql instances patch my-database --activation-policy=always --network my-vpc".

How can I start (actually forcibly delete) this SQL instance?
Thanks.

ms4446

You've encountered a common issue with Cloud SQL instances configured with private IP addresses in a Shared VPC environment. The error (ERROR_SN_SUBNET_CREATION_FAILURE) indicates the Service Networking API must create a dedicated subnetwork within your Shared VPC host project. Here's how to resolve this issue and delete your Cloud SQL instance with deletion protection:

In the Shared VPC Host Project: Enable Service Networking API

gcloud services enable servicenetworking.googleapis.com

Grant Required Permissions Assign roles/compute.networkUser to the service account:

service-<PROJECT_NUMBER>@service-networking.iam.gserviceaccount.com

Create Dedicated IP Range

 

gcloud compute addresses create google-managed-services-my-vpc \
  --global \
  --purpose=VPC_PEERING \
  --prefix-length=16 \
  --network=YOUR_SHARED_VPC_NETWORK

Establish Service Networking Connection

 

gcloud services vpc-peerings connect \
  --service=servicenetworking.googleapis.com \
  --ranges=google-managed-services-my-vpc \
  --network=YOUR_SHARED_VPC_NETWORK

In the Service Project (with Cloud SQL Instance): Start the Cloud SQL Instance

gcloud sql instances patch my-database --activation-policy=always

Disable Deletion Protection

gcloud sql instances patch my-database --no-deletion-protection

Delete the Instance

gcloud sql instances delete my-database

M-Shunsuke

@ms4446 Thank you for your response. My reply post still not appears. trying to post again...

So, unfortunately that operation doesn’t work. I actually found those steps online and tried them, but I still get the following error when starting the Cloud SQL instance:

“Instance is missing Shared VPC Host Network. Service Networking API addSubnetwork has to be called first.”

It's confusing why error mentioned about Shared VPC even though I don't use Shared VPC.
The problem was probably caused by me deleting the VPC after creating the Cloud SQL instance. So I hope there’s a way to forcibly delete the instance.

ms4446

Thanks for clarifying—this specific error can occur if you create a private IP Cloud SQL instance attached to a VPC and later delete that VPC, leaving the instance in a broken state. Even though the error mentions "Shared VPC," it's actually generic messaging related to the private services connection. Here's how you can solve this:

Forcibly delete Cloud SQL instance stuck due to missing VPC Step-by-step solution: Since your VPC has been deleted, the instance is orphaned and can't start because it depends on a private IP connection through Service Networking API. To forcibly resolve this, you must temporarily recreate the original private service networking connection with the same network name, even if you don't plan to keep it afterward.

Step 1: Recreate the Original VPC (temporarily) First, recreate the exact VPC (using the original name) and subnet (with a CIDR range matching or overlapping the original private service connection). For example:

 

gcloud compute networks create my-vpc --subnet-mode=custom

gcloud compute networks subnets create my-subnet \
    --network=my-vpc \
    --region=YOUR_REGION \
    --range=10.20.0.0/24

Replace my-vpc and my-subnet with the exact original names.
Ensure the subnet CIDR (10.20.0.0/24) matches or doesn't conflict with your original setup.

Step 2: Recreate the Private Service Networking Connection Next, recreate the missing Service Networking connection:

 

gcloud compute addresses create google-managed-services-temp \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=24 \
    --network=my-vpc

gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=google-managed-services-temp \
    --network=my-vpc

This re-establishes the missing private connectivity required to restart your SQL instance.

Step 3: Start your Cloud SQL instance Now try starting the Cloud SQL instance again:

gcloud sql instances patch my-database --activation-policy=always

This should work now that the required private networking components are restored.

Step 4: Disable deletion protection With the instance running, immediately disable deletion protection:

gcloud sql instances patch my-database --no-deletion-protection

Step 5: Delete the Cloud SQL instance Now delete your instance:

gcloud sql instances delete my-database

After the instance is successfully deleted, you can safely remove the temporary VPC and service networking connections again:

 

gcloud services vpc-peerings delete --network=my-vpc --service=servicenetworking.googleapis.com
gcloud compute addresses delete google-managed-services-temp --global
gcloud compute networks subnets delete my-subnet --region=YOUR_REGION
gcloud compute networks delete my-vpc