Based on your description, it seems you've encountered a regional limitation when using Private Service Connect (PSC) with Cloud SQL across different regions within the same organization.

Private Service Connect allows for the creation of private connections between Google Cloud services (like Cloud SQL) and your VPC networks. When you enable PSC for a Cloud SQL instance and create a PSC endpoint in a VPC, you're essentially creating a private pathway for services in that VPC to access the Cloud SQL instance without traversing the public internet.

PSC endpoints are regional resources, meaning they are designed to facilitate access to services within the same region. This regional design is primarily for performance and security reasons, ensuring that data does not unnecessarily traverse multiple regions, which could introduce latency and potential regulatory concerns.

When clients in a subnet of a different region attempt to connect to a Cloud SQL instance via a PSC endpoint, they may fail to connect because PSC does not automatically route traffic across regions. This behavior is consistent with the regional nature of PSC and is a known limitation.

Solutions and Workarounds

1. Multi-Region Setup: If you have clients in multiple regions that need to access the Cloud SQL instance, consider creating PSC endpoints in each of those regions. Each regional endpoint would need to connect to the Cloud SQL instance. This approach requires careful planning around IP address management and DNS resolution to ensure clients connect to the nearest endpoint.

2. Global Load Balancing: For services that support it, using a global load balancer can help manage cross-regional traffic. However, this is more applicable to compute resources than to Cloud SQL.

3. Cross-Region Networking Solutions: While PSC itself may not support cross-regional connections directly, other networking solutions like Cloud VPN or Cloud Interconnect can facilitate cross-regional connectivity. These solutions can be used in conjunction with PSC to enable secure, cross-regional access to Cloud SQL instances. This would involve setting up secure tunnels between regions and ensuring proper routing is in place.

The issue you're experiencing with cross-regional connectivity to a Cloud SQL instance via PSC is a result of the regional nature of PSC endpoints. To address this, you'll need to implement a solution that accommodates the regional design of PSC, such as deploying regional PSC endpoints or utilizing other Google Cloud networking services for cross-regional connectivity.

It's also worth noting that Google Cloud continuously evolves its services, so it's a good idea to check the latest documentation or reach out to Google Cloud support for any new features or best practices that might help in your scenario.

Update:

ms4446 - thanks for providing additional details.

I was able to make the endpoint work in a different region by just enabling "Global Access" on the endpoint created in the consumer VPC. This is working as expected.  

Thanks

Is it possible to enable PSC on existing Cloudsql database. Till now I have only found a way to enable it at the time of creation.

Unfortunately, you cannot enable Private Service Connect (PSC) on an existing Cloud SQL instance directly.

• When you enable PSC during Cloud SQL instance creation, it provisions a network interface for the service and assigns a Service Attachment associated with the instance.
• This network setup is fundamental to how PSC routes private traffic.

Limitations

• Cloud SQL's infrastructure doesn't currently support adding additional network interfaces or modifying the connectivity settings of existing instances.
• Retroactively enabling PSC would require substantial changes to the underlying Cloud SQL instance, which isn't possible.

Workarounds

While you cannot directly enable PSC on an existing instance, here are some options depending on your circumstances:

1. Create a New Instance with PSC:

   • Create a new Cloud SQL instance with PSC enabled.
   • Migrate your data from the existing instance to the new one using database replication or export/import tools.
   • Make sure you consider potential downtime during this migration.

2. Use an IP Whitelist:

   • If you absolutely cannot migrate to a new instance, carefully control access to your existing Cloud SQL instance using an IP whitelist.
   • This is less secure than PSC as it relies on IP-level access control, but it might be viable in some scenarios.

Important Considerations

• Downtime: The migration approach (#1) usually involves some downtime. Assess this impact against your application's requirements.
• Security: Always prioritize using PSC whenever possible due to its enhanced security compared to relying on IP whitelisting.

Thanks a lot for your reply. I am following this guide (https://cloud.google.com/sql/docs/postgres/connect-multiple-vpcs#custom-route) which suggests other options like setting up Auth proxy or Intermediate proxy (socks5). 

Do you think either of those will be helpful to get external client access database securely. Note I need to setup those because I need multiple VPC connection to the database and was hoping if any of those solution would work for External client access as well. Thanks.

You're on the right track with considering using either an Auth proxy or an Intermediate proxy (socks5) for setting up external client access to your Cloud SQL database securely.

However, it's important to note that:

Auth proxy is not recommended for external client access because it requires exposing the proxy to the public internet, which could introduce security risks.

On the other hand, Intermediate proxy (socks5) can be a viable option for external client access if you deploy the proxy in a secure environment and restrict access to authorized clients only.

Here are the steps on how to use Intermediate proxy (socks5) for external client access to a private Cloud SQL instance:

1. Deploy an intermediate proxy (socks5) in a VPC that has peering with the VPC where the Cloud SQL instance is located.
2. Configure the intermediate proxy to forward traffic to the Cloud SQL instance.
3. Grant access to the intermediate proxy only to authorized clients.
4. Configure your external clients to connect to the intermediate proxy using the socks5 protocol.

For more details on how to set up and configure an intermediate proxy (socks5), please refer to the Google Cloud documentation: https://cloud.google.com/sql/docs/postgres/connect-multiple-vpcs#custom-route

Remember that security is paramount when dealing with external client access. Make sure to follow best practices and implement appropriate security measures to protect your Cloud SQL instance.

Yes, this is true. The provided link focuses on local clients using the Auth Proxy, which wouldn't apply to your Cloud Run (VPC A) to SOCKS proxy (VPC B) scenario. Here's how you can enable this type of connection:

Understanding the Limitation

Directly integrating a Cloud Run service with a SOCKS proxy isn't as straightforward as the Cloud SQL Auth Proxy, since there's no built-in mechanism for this type of proxy handling within the Cloud Run environment.

Solutions

1. Sidecar Container:

   • Package a SOCKS proxy client into a sidecar container within your Cloud Run deployment.
   • This sidecar would handle communication with the SOCKS proxy in VPC B.
   • Your main application container would direct database requests to the local sidecar container, which would then forward them appropriately.
   • Considerations:
     • Increased resource usage due to the sidecar.
     • Potential code changes to your application if it's not designed to use a local proxy.

2. Network-Level Proxy (If Feasible):

   • If you have control over the network configuration, you could investigate deploying a network-level SOCKS proxy that Cloud Run traffic can be routed through transparently.
   • This depends heavily on your specific network setup and may require custom routing or potentially solutions like Istio for finer-grained control.
   • Considerations:
     • Network complexity overhead.
     • The proxy becomes a central point, so scaling and security require attention.

Important Notes:

• VPC Peering: Regardless of the approach, ensure VPC Peering exists between VPC A (Cloud Run) and VPC B (SOCKS Proxy).
• Example Code: If you opt for the sidecar approach, having a sample code demonstrating a SOCKS proxy client (in your relevant programming language) within the sidecar would be helpful.

Security:

• Authentication/Authorization: Implement robust access controls to the SOCKS proxy to ensure only the Cloud Run service can use it.
• Data Encryption: Always prioritize in-transit data encryption between Cloud Run and the proxy when handling database traffic, even within your VPCs.