This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Connect MySQL and App Engine Flexible service in different GCP projects using peering

Posted on 02-21-2025 06:35 AM
Hybos
New Member
Reply posted on --/--/---- --:-- AM

After reviewing the Google Cloud documentation and searching on the internet for a solution to the same problem, I was not able to find a solution.

My scenario is very simple, I have two projects in GCP, e.g. A and B. A contains one instance of MySQL in Cloud SQL. B contains one service in App Engine. What I want is to connect my App Engine service to my MySQL using the private IP of this last.

In both projects, both the mysql instance and the app engine service are in the same region; I have only one VPC network with an only one subnetwork for the proper region.

I have created a network peering between both projects that works, I know that because I did some connection tests using VM instances.

Well, in the project A, in the VPC network details, in the tab private services access, there is an allocated range, that matches with the mysql instance private IP, and al private connection to services for this range with Google Cloud Platform. Related with this there is a VPC Netwoork Peering between my VPC network and the serviceneworking with the same name as the private connection to services. It seems that this peering connection was created automatically and I'm assuming this is the peering that allowed the VMs in the same project to connect with the MySQL instance.

In the project B, in the network details there is an allocated ip range for services, maybe created automatically, an there isn't any private connection to services. I did a test to connect from the app engine service to an VM instance in the project A, and it worked.

In both projects the peering networks are active. That's my scenario.

The problem started when I tried to connect from the app engine service instance in the project B to the MySQL in the project A, what I've investigated and discovered:

1. Transitive peering doesn't works, so the project B subnetwork where is the app engine service instance could't reach the servicenetwork where is the Mysql through the project A subnetwork.

2. I tried to create a VPC peering in the project B with the MySQL subnetwork using the same information that exists in the peering of the project A, but this peering never becames active since needs to be created also from the other project. Obviously I have no access to that project.

3. I have read that allocating an ip range for services in the project B network, with the ip range that the same allocated ip range has in the project A will activate automatically the inactive VPC peering, it doen't works, nothing happened.

4. The same as point 3, but then creating a private connection to service using the allocated IP range, this created a VPC peering in the project B with a servicenetwork but with a different project ID than the service network of the project A. As expected, the connection continued to not work.

5. I seems the point 2 can be solved by contacting with the Google Support, but I do not have subscription and I was not able to contact with the support team (the main reason I'm here writing this).

6. I can give a public IP to the MySQL Instance, but it's more expensive and insecure.

7. I have read an alternative using a Shared VPC, but this requires the MySQL was created using that configuration, so this is not possible unless I recreate the instance (with the cost and risk this entails).

8. I have read an alternative using a VPN, something beyond my reach.

So I'm stuck, I have no solution and I was not able to find any documentation nor any way to solve this problem.

I apologize in advance if this is explained in any other topic, but I was not able to find it.

You support on this will be very appreciated.

Best,

1 1 202
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @Hybos,

Welcome to Google Cloud Community!

Another way to securely connect App Engine to Cloud SQL across different projects is to use the Cloud SQL Auth Proxy. This proxy handles authentication and encryption while bypassing the limitations of VPC peering.

  • Grant IAM Permissions in Project A - Ensure the App Engine service account from Project B has the Cloud SQL Client role(role=roles/cloudsql.client) in Project A.
  • Update App Engine Configuration in Project B - Modify app.yaml to specify the Cloud SQL instance connection.
  • Modify Database Connection to Use Cloud SQL Auth Proxy - Instead of connecting to the private IP, update your database settings to use the proxy.

Nonetheless, your case appears to be in need of a deep dive investigation. I highly recommend that you reach out to our 1:1 support for this issue. Please see our Cloud Customer Care documentation.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Top Labels in this Space
Top Solution Authors
View all