This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

OnPrem VPN to Cloud SQL with Private IP(not able to connect) Public IP(able to connect)

Posted on 10-31-2023 03:20 AM
anand-patel
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi Team,

Facing issue while connecting to OnPrem VPN to GCP Cloud SQL. Cloud SQL PostgreSQL  instance having both Pubilc IP and Private IP enabled.

Enabled private service access and private path connectivity on cloud sql instance. created a VPN Gateway and VPN Tunnel in Cloud to connect OnPrem.

I am able to connect on Public IP from my On Prem Machine however not able to connect on my Private IP. 

CloudSQL_Proxy_VPN_img.png

 Any one, suggest any further network/ DB related changes I have to do.

0 4 1,086
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

 

Unable to connect on your Private IP.

There are a few things that could be preventing you from connecting to your Cloud SQL PostgreSQL instance on its private IP address from your on-premises network via your Cloud VPN tunnel:

  1. On-Premises Network Configuration:

    • Your on-premises network may not be configured to route traffic to your Cloud SQL instance's private IP address range.
    • You can check this by running the following command on your on-premises machine: ip route get <private_ip_address_of_your_cloud_sql_instance>
    • If the output of the command is empty, then your on-premises network is not configured to route traffic to your Cloud SQL instance's private IP address range. You will need to update your on-premises network configuration to add a route for your Cloud SQL instance's private IP address range.
    • Note: The ip route get command is specific to Linux-based systems. If you are using a different operating system, please consult the documentation for your operating system on how to verify routing table entries.

  2. Cloud VPN Tunnel Configuration:

    • Your Cloud VPN tunnel may not be configured to allow traffic to your Cloud SQL instance's private IP address range.
    • Ensure that the CIDR block for your Cloud SQL instance's private IP address range is included in the list of networks that are allowed to access your Cloud VPN tunnel.
    • The Cloud VPN tunnel should use a protocol that supports private IP addresses. Google Cloud VPN uses IPsec, which inherently supports private IP addresses. If you're using a different VPN solution, ensure it supports private IP addresses.

  3. Cloud SQL Instance Configuration:

    • Ensure that your Cloud SQL instance has private service access enabled.
    • Ensure that the Cloud SQL instance is associated with the correct VPC network.
    • Verify that your Cloud SQL instance's firewall rules allow connections from your on-premises network.

Additional Points:

  • Ensure there is no IP address overlap between the on-premises network and the GCP VPC.
  • Check for any firewall rules on the on-premises side that might be blocking the traffic.

If you have verified that all of the above are configured correctly and you are still having trouble connecting to your Cloud SQL instance on its private IP address from your on-premises network via your Cloud VPN tunnel, please contact Google Cloud support for assistance.

Posted on --/--/---- --:-- AM
anand-patel
Bronze 5
Bronze 5
In response to ms4446
Reply posted on --/--/---- --:-- AM

Thanks for your inputs.

While Creating Cloud SQL Db, i am assigning static IP using terraform. But while after executing terraform script, I am getting different private IP of Cloud SQL Instance. 

Also, Verify that your Cloud SQL instance's firewall rules allow connections from your on-premises network. --- for this , which kind of firewall need to open.

created new instance with another private network in GCP, able to access private 

0 Likes

Posted on --/--/---- --:-- AM
ms4446
Staff
In response to anand-patel
Reply posted on --/--/---- --:-- AM

When you create a Cloud SQL instance using Terraform, Google Cloud automatically assigns a private IP address from the allocated IP range within your VPC when you enable a private IP. You cannot assign a static private IP address to a Cloud SQL instance; this is managed by Google Cloud.

To allow connections to your Cloud SQL instance from your on-premises network, you need to ensure that your Cloud SQL instance is configured to accept connections from the IP ranges of your on-premises network. This is done within the Cloud SQL instance's settings, not through traditional firewall rules.

If you are able to access your Cloud SQL instance from another private network in GCP, it suggests that the networking within GCP is correctly configured, possibly with VPC peering. To access your Cloud SQL instance from an on-premises network, you will need to set up a VPN tunnel or use Cloud Interconnect to route traffic from your on-premises network to your VPC network in GCP.

Posted on --/--/---- --:-- AM
anand-patel
Bronze 5
Bronze 5
In response to ms4446
Reply posted on --/--/---- --:-- AM

I will work accordingly and update you

0 Likes
Top Solution Authors
View all