Demystifying Google Cloud Networking for Cloud SQL Setup with IAC — Part II

Simplifying Cloud Networking (Private Service Connect) for Cloud SQL

In our previous write up we described and shared the IaC code that uses the Private Service Access (PSA) and its unique ability in google cloud to enable the accessiblity with the managed service using the private IP address of the managed service.
This means a client can connect to the managed service wiithout there instance being ever exposed to outside world via public IP address thus providing better and a more granular approach to finetune security.

In short, private service access enables the client to reach the internal IP address of the google managed service and third part service by using secure and private connections. This becomes very useful when we want to use the private IP address instead of external IP address.

This article dives into Google Cloud’s Private Service Connect (PSC). We’ll explore the challenges it solves and how terraform can automate infrastructure management for Cloud SQL instance using PSC mode of connectivity.

The Problem: Simplify Private Service Connect in Cloud Networking for Cloud SQL instance

Configuring Google Cloud networking for Cloud SQL instances can be challenging especially for users who are not familiar with the intricacies of VPCs, subnets, private service connect and firewall rules. To simplify this process, we’ve bundled Terraform modules into a single repository to handle the networking configuration seamlessly.

e.g. A VM instance present in our google cloud network can use the internal IP address of the google cloud sql instance instead of its public IP address to establish a private connection using private service connect.

Private service connect aims to incrementally address secure private connections providing greater flexibility and a centralized way to manage private connections compared to setting up individial VPC peering within cloud environments.

While PSA (Private Service Access) and PSC (Private Service Connect) are both the functionality that enables safe, secure and private connection to services they differ slightly in there approach.

Simplify Private Service Connect (PSC)

Private Service Connect facilitates the private connection between your google cloud VPC and services running in another VPC network by means of creating a dedicated connection which is referred as service attachment. Service attachment then routes the traffic between your VPC and the target service’s VPC.

Utilizing Private Service Connect (PSC)

As an end user, following are the high level overview and essential steps required in the configuration of the private service connect (PSC) :

1. Create a Private Connection : When creating a google cloud service instance supporting private service connect (PSC) like Cloud SQL instance we need to enable/configure the instance to use the PSC. When enabled, the Cloud SQL instance creates a service attachment for the instance automatically.
   The service attachment acts as a point that VPC networks use to access the instance.
2. Allowed Private Service Connect projects : Allowed projects are associated with VPC networks & are associated to each Cloud SQL instance. If an instance isn’t contained in any allowed projects, then you can’t enable Private Service Connect for the instance.
3. Configure DNS : While this is an optional but still a recommended step to set up a DNS name like myCloudSQLInstance.myProject which resolves to internal IP address assigned by the PSC endpoint.
4. Manage Networking: The way you set up your network for Cloud SQL depends on where your clients are located.

• Clients on-premises or in another cloud: If your clients are not within Google Cloud, you’ll need a secure connection like Cloud VPN (HA VPN) or Cloud Interconnect to establish a secure connection between your external network and google cloud network.
• Clients within Google Cloud: If your clients are in the same Google Cloud project or a different project within the same google cloud organization, a simpler approach using VPC peering between your VPCs can be used for communication.

5. Security and IAM Permissions : Make sure the necessary the firewalls rules are configured appropriately to allow the client to connect to the instance via its whitelisted ip address & ports along with the necessary IAM permissions to the client so that the user account, service account at the client side is able to establish a client connection.

e.g. roles/cloudsql.client permission would be required for the compute service account expecting to establish a connection to cloud sql instance.

The Solution: Terraform Modules for Simplifying the configuration and usage of Google Cloud SQL with private service connect

The pre-built modules bundle everything you need to connect securely to a private Cloud SQL instance using Private Service Connect. No need to be a cloud networking expert — the modules handle the complexity of setting up Private Service Connect endpoints, service attachments etc.
Database administrators and application engineers can easily configure Cloud SQL with the required network components.

Supported Usage Scenarios

To further assist you in using our simplified networking cloud sql modules, we’ve included multiple examples in the examples folder of the github code repository.

These examples cover different scenarios, complete with implementation guides and architecture designs. Here is a short description about them that you can explore:

1. PSC Scenario (within same google cloud org) : This solution guides a user to create a PSC enabled Cloud SQL instance with a consumer and producer project setup having a compute VM instance created in the consumer project connecting to the Cloud SQL instance through PSC service endpoint.
2. PSC across VPN Scenario : This solution helps user with the IaC code to create a HA VPN connection between user and consumer project to connect to a PSC enabled Cloud SQL instance in a producer project from a compute VM instance through PSC service endpoint.

If you’re ready to supercharge your Google Cloud SQL configuration with private service connect, explore our repository and discover how Terraform modules and the simplified samples can make your life easier. Say goodbye to complex networking configurations and hello to simplified Cloud SQL deployment.

Explore the Simplified Cloud Sql Networking Terraform Module Repository

You can also refer to previous write up Demystifying Google Cloud Networking for Cloud SQL Setup with IAC — Part I

If you have any specific suggestions, scenarios or ideas that you would like to cover then feel free to reach out to us.