Connect to Cloud SQL for PosgreSQL from Cloud Composer

11/15/2018

My question is about configure Google Cloud Composer to reach Google Cloud SQL using the same network configuration in the same Google Cloud project.

Executing a DAG which uses a PostgresOperator configured with the Private IP and default port (5432) to connect, we always get the same connection error:

ERROR - could not connect to server: Connection timed ou Is the server running on host "private_ip" and acceptin TCP/IP connections on port 5432

We expect the connection should be established because we have configured the same network and we are using Private IP to reach the Cloud SQL server from Composer.

-- Oscar PĂ©rez
google-cloud-composer
google-cloud-platform
google-cloud-sql
google-kubernetes-engine

3 Answers

5/20/2019

Cloud SQL Proxy is a great way to go, and a similar question, if not the same, has been answered with details on getting that set up.

To address the Internal IP question, see the Google docs:

You can use the Cloud SQL Proxy to connect to an instance that is also configured to use private IP. The proxy can connect using either the private IP address or a public IP address. If you use the Cloud SQL Proxy to connect to an instance that has both public and private IP addresses assigned, the proxy uses the public IP address by default.

-- Micah Miller
Source: StackOverflow

11/15/2018

according to Introducing private networking connection for Cloud SQL these are still two separate network segments (see the visual scheme there). therefore VPC network peering is required, in order to get a route-able private IP. see the code lab, which has also this scenario covered.

-- Martin Zeitler
Source: StackOverflow

11/21/2018

The request from Composer comes from the pod's IP address which is non-routable outside the VPC. Therefore it has to be masqueraded to the IP of the interface of the node which is in 10.0.0.0/8 (when using the default network).

If you configured your CloudSQL instance to use an auto-generated IP range when setting the Private IP connection, it is likely the IP is also in 10.0.0.0/8, but it is not inside the same VPC.

If it the connection is to 10.0.0.0/8 and is not in the VPC, it can't be routed. As a workaround you can create a custom address range, for example 192.168.X.X:

gcloud beta compute addresses create [RESERVED_RANGE_NAME] \
    --global \
    --purpose=VPC_PEERING \
    --addresses=192.168.0.0 \
    --prefix-length=16 \
    --description=[DESCRIPTION] \
    --network=[VPC_NETWORK] \

And configure your Cloud SQL instance's private IP to be within that range.

-- ch_mike
Source: StackOverflow