This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Making a cloudsql instance from my service network available in a peered vpc

Posted on 02-26-2025 06:23 PM
dolfandringa
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a single vpc A with a subnet 10.166.0.0/20. I have a peering with the service network which has ip range 10.124.0.0/16. In there I have a cloud sql instance at 10.124.0.3.

I have a second vpc B in another project. I setup a peering connection between VPC A and B (both vpc are fully under my control). I would like instances in VPC B to be able to access the cloud sql instance in VPC A. I looked at the effective routing table for VPC B, but it does not look like there is a route to 10.124.0.0/16 in VPC B. How can I access that cloudsql instance in VPC A.

As a side note: the fact that we have 2 separate projects is only a temporary migratory situation. So to slowly and seamlessly migrate services over I want to have two way traffic between them, but I don't need fancy control over exactly what services are available both ways. "Everything" suits me just fine right now. 

 

1 3 157
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
DarwinVinoth
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Private Service Connect:

Instead of relying on VPC Peering for this setup, Private Service Connect (PSC) allows services in VPC B to access Cloud SQL in VPC A through an internal IP.

Or

Cloud SQL Proxy - If you do not want to configure Private Service Connect, another workaround is to use the Cloud SQL Auth Proxy in VPC B

0 Likes

Posted on --/--/---- --:-- AM
dolfandringa
Bronze 1
Bronze 1
In response to DarwinVinoth
Reply posted on --/--/---- --:-- AM

It's a shame it's this complicated. I would expect everything that is working within the VPC to be available over a peering connection with another VPC. All I think that would be necessary is to either give the Cloud SQL instance an IP address in the VPC directly (instead of one in the service network only) or somehow route the remote service network over peering connection too. The PSC seems very complex to setup for just making resources from 2 VPCs from different projects be accessible to each other.

The Cloud SQL Proxy is a simpler solution to me, but requires a VM/cloud compute resource to be running constantly, which is costly. Especially since the peering connection already exists anyway, it seems a weird choice not to be able to route the "service network" resources available through the peering connection.

Posted on --/--/---- --:-- AM
ammett
Staff
In response to dolfandringa
Reply posted on --/--/---- --:-- AM

You can achieve that with by creating a VPN between the two project and exporting custom routes. The well know design functionality with VPC network peering is that it doesn't allow transitive peering.

The PSC option it's pretty straight forward and only exposes the intended service so you have isolation control. In this blog it has links to two codelabs for setting up PSC only DB or PSC with PSA. https://medium.com/google-cloud/connecting-to-cloud-sql-via-private-service-connect-private-connecti... 



Top Labels in this Space
Top Solution Authors
View all