Solved: Connecting from Digital Ocean App Platform to Goog...

Svemirsky · 11-19-2023 05:49 AM

Hi,

I have a backend (node js) running on Digital Ocean App Platform. This means I have limited access to it, and it may (I am not sure) share IP with other apps.

I am migrating my PostgresSQL database from AWS to Google Cloud SQL.

I am struggling to connect my backend to the new GCP database. The connection attempt is timing out.

I have tried connecting (with and without SSL) from my laptop, and it works provided that my laptop's IP is added to Authorized Networks.

When I look up the IP of my backend (using hostname -I in the console) I get 10.244.16.191. I am not sure whether this IP is correct nor whether it is stable in time or shared.

When I try to add it to "Authorized networks" in the Google console I get this error:

"Invalid request: You entered '10.244.16.191', which is already automatically included in networks authorized by Cloud SQL, and can't be added again."

I am baffled. The very same code and settings work from my laptop once its IP is added to the list, but I am prevented from adding my server's IP. Yet I can't connect from the server, suggesting that IP whitelisting is the issue.

Any suggestions how to proceed to figure this out would be greatly appreciated.

Also, is there any way of connecting without whitelisting the IP? My server's IP might be unstable, because of the product I am using.

I have seen the option of connecting using a separate proxy software, but I can't install that on the DO's managed platform that I am using.

Svemirsky

Thanks,

I finally managed to find a way to connect programmatically without having a stable IP.

Using nodejs and the Google Nodejs Cloud Connector.

For anyone who ends up here: see this pull request for details, example files, and a warning about Sequelize version: https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector/pull/193#issuecomment-1823252637

View solution in original post

ms4446

The issue you're encountering is primarily due to the dynamic nature of the IP address assigned to your Node.js backend on the DigitalOcean App Platform. Since this IP address can change, directly whitelisting it in Google Cloud SQL's authorized networks is not a practical solution. To establish a stable and secure connection between your backend and Google Cloud SQL, consider the following options:

Option 1: Utilize Cloud SQL's Public IP with SSL

Use Cloud SQL's Static Public IP: Google Cloud SQL instances are assigned a static public IP address by default. This IP does not change and can be used for stable connections.
Secure Connection with SSL: Enhance security by configuring your Node.js backend to connect to the Cloud SQL instance using SSL. This ensures that the data transmitted over the internet is encrypted.

Option 2: Explore Managed Database Connectivity Solutions

Managed Database Connection Services: Some cloud providers offer managed services that facilitate secure database connections without the need for static IP whitelisting. Investigate if DigitalOcean provides such a service that can be integrated with Google Cloud SQL.
Cloud SQL Proxy: If feasible, use the Cloud SQL Proxy for a secure connection. This might involve containerizing the proxy if you can run containers on your platform.

Option 3: VPN Tunnel (Advanced)

Establish a VPN Tunnel: If supported by DigitalOcean, set up a VPN tunnel between DigitalOcean and Google Cloud.This allows for a secure, private connection between your backend and the Cloud SQL instance.

Additional Considerations

Consult Cloud Providers: Reach out to DigitalOcean and Google Cloud support for guidance on best practices and supported methods for such integrations, especially regarding VPN or managed connectivity solutions.
Monitor for IP Changes: If you opt to use the public IP method, keep an eye on your backend's IP address. If it changes, you'll need to update your connection settings accordingly.

While directly whitelisting the dynamic IP of your backend is not feasible, using Cloud SQL's static public IP with SSL, exploring managed database connectivity solutions, or setting up a VPN tunnel are viable alternatives. These methods provide a more secure and reliable way to connect your Node.js backend on DigitalOcean to your Google Cloud SQL instance, eliminating the need for IP whitelisting in Cloud SQL's authorized networks.

Svemirsky

Thanks... so I would just like to confirm: if I use SSL I do not need to also whitelist the IP at the Google end of things? Or do I have to do both in any case, use SSL AND whitelist the IP?

Or to rephrase: is there any way of connecting to a Google Cloud SQL database from an app that has a changing/unstable IP (apart from installing and running the Proxy software)? If yes I would love to learn how 🙏

ms4446

To clarify your question about connecting to a Google Cloud SQL database from an app with a dynamic or unstable IP address:

Using SSL Without IP Whitelisting: Using SSL for your database connection enhances security by encrypting the data in transit. However, SSL alone does not replace IP whitelisting in Google Cloud SQL. IP whitelisting is a network-level security measure that restricts access to your database to only those IPs that you have explicitly allowed. While SSL secures the data being transmitted, IP whitelisting controls who can attempt to make a connection in the first place.
Connecting Without Whitelisting Dynamic IPs: If you cannot reliably predict the IP address of your app (due to it being dynamic), there are a few alternative approaches to connect to Google Cloud SQL:
- Cloud SQL Proxy: This is a secure method for connecting to your Cloud SQL instance without having to manage IP whitelists. The Cloud SQL Proxy provides secure access to your Cloud SQL Second Generation instances without the need for Authorized Networks or for configuring SSL. However, you mentioned that installing and running the Proxy software might not be feasible in your environment.
- Private IP: If your cloud provider (DigitalOcean in this case) supports VPC (Virtual Private Cloud) peering with Google Cloud, you could potentially use a Private IP to connect to your Cloud SQL instance. This method does not require IP whitelisting as the connection is made within a private network. However, setting up VPC peering can be complex and may not be supported in all environments.
- Managed Database Connectivity Services: Some cloud providers offer managed services that facilitate secure database connections without the need for static IP whitelisting. It's worth checking if DigitalOcean offers such a service that can be used with Google Cloud SQL.
Security Considerations: Regardless of the method you choose, it's important to ensure that your database connections are as secure as possible. This typically involves using SSL/TLS for encryption and implementing best practices for database security.

Svemirsky

Thanks,

I finally managed to find a way to connect programmatically without having a stable IP.

Using nodejs and the Google Nodejs Cloud Connector.

For anyone who ends up here: see this pull request for details, example files, and a warning about Sequelize version: https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector/pull/193#issuecomment-1823252637

Connecting from Digital Ocean App Platform to Google Cloud SQL