0

I have three projects in Google Cloud Platform (GCP) under one organization: Project A, Project B, and Project C (central). Project C is using a GCP Cloud SQL component (MySQL), which is connected via peering with this project.

I want to establish a connection from VMs in Project A and Project B to the Cloud SQL database "in" Project C. What I’ve tried:

  • VPC Peering: Set up peering between projects individually: A <-> C <-> DB. This did not work due to non-transitivity in VPC peering.
  • Shared VPC: Enabled a Shared VPC in Project C and shared it with Project B. I created VMs in both projects, with VMs in Project B having a network interface of the VPC in Project C. Despite this setup, I was only able to connect to the DB from a VM in Project C but not from a VM in Project B.

Steps taken for the Shared VPC:

  • Created Project B (consumer) and Project C (central).

  • In Project C created a subnet A with the range 10.0.0.0/24. Allowed ICMP and SSH with default firewall rules for the VPC.

  • In Project B Created a subnet A with the range 10.0.1.0/24. Allowed ICMP and SSH with default firewall rules for the VPC. For both VPCs:

  • Created Cloud NAT (gateway and router).

  • Created a MySQL instance in project C. Enabled Private Service Access (VPC peering technically) and allocated the range 10.0.4.0/24 for the peering. The instance got an IP 10.0.4.3.

  • Made Project C a Shared VPC host and shared the only subnetwork in this project (project C / subnetwork A), with Project B.

  • In both projects, created VMs and installed mysql client: The VM in Project C has an IP: 10.0.0.2. The VM in Project B has two network interfaces: subnet A from Project B (10.0.1.2) and subnet A from Project C (10.0.0.3).

Shared VPC tests:

  • I can connect to MySQL from a VM in Project C; I can ping the VM "in" project B from VM in project C (10.0.0.2 -> 10.0.0.3).
  • I cannot connect to MySQL from a VM in Project B, even though it has a network interface in the subnet of Project C.

What is the most straightforward solution to allow VMs in Project A and Project B to communicate with the Cloud SQL database in Project C, without using SQLProxy or VPN? What might I be doing wrong in my current setup?

Thank you!

Improve this question

1 Answer 1

Reset to default
0

Connectivity options are documented here: https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs

If you don't want to use a VPN or proxy, you may want to use Private Service Connect.

Another option is a public IP, but that I suppose you would prefer to avoid.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.