Protect Your Cloud SQL Instances with a Cloud SQL Auth Proxy

Naveen May 13, 2024


 Auth Proxy for Cloud SQL

They will describe in this blog post how to use the Cloud SQL Auth Proxy to establish secure, encrypted connections and protected data for your instances. You do not need to use the Cloud SQL Auth Proxy or enable SSL in order to connect to Cloud SQL from the App Engine standard environment or App Engine flexible environment.

The benefits of the Cloud SQL Auth Proxy

The Cloud SQL Auth Proxy is a Cloud SQL connection that provides secure access to your instances without the need for authorised networks or SSL settings.

The Cloud SQL Auth Proxy and other Cloud SQL Connectors have the following benefits:

Safe connections

This encrypts all traffic to and from the database automatically using TLS 1.3 and a 256-bit AES cypher. Since SSL certificates are independent of database protocols and are used to verify the identities of clients and servers, you won't need to administer them.

More straightforward connection authorization

The Cloud SQL Auth Proxy uses IAM permissions to limit what and who can connect to your Cloud SQL instances. Because it uses Cloud SQL to handle authentication, static IP addresses are therefore not required.


It does not provide a new means of connection; rather, it relies on the IP connectivity that currently exists. To connect to the Cloud SQL instance via private IP, the Cloud SQL Auth Proxy must be located on a resource that can access the same VPC network as the Cloud SQL instance.

How the Cloud SQL Auth Proxy works

The Cloud SQL Auth Proxy cannot function without a local client running in the local environment. To establish a connection with the Cloud SQL Auth Proxy, your application makes use of the same common database protocol as your database.

It uses a secure channel to interact with its server-side partner process. For every connection established through the Cloud SQL Auth Proxy, one connection is created to the Cloud SQL instance.

The initial step for an application connecting to Cloud SQL Auth Proxy is to see if it can connect to the target Cloud SQL instance. If it cannot establish a connection, it obtains an ephemeral SSL certificate using the Cloud SQL Admin APIs and connects to Cloud SQL with it. Ephemeral SSL certificates have an hour or so before they expire. Before they expire, Cloud SQL Auth Proxy updates these certificates.


For your Cloud SQL instance, the Cloud SQL Auth Proxy only creates outgoing or egress connections on port 3307. Since Cloud SQL Auth Proxy utilises the unstable IP address sqladmin.googleapis.com to access APIs, all outgoing TCP connections on port 443 must be allowed. Verify that the outbound firewall policy on your client PC allows outgoing connections to port 3307 on your Cloud SQL instance's IP address.

It can be used in conjunction with other connection pools to increase productivity even though it does not provide connection pooling.

Utilising the Requirements for Cloud SQL Auth Proxy

The Cloud SQL Auth Proxy can only be used if the following requirements are met:

  • It is required to enable the Cloud SQL Admin API.
  • To use this, you must provide your Google Cloud login credentials.
  • This proxy requires that you provide it with a functional database user account and password.
  • The instance must have a public IPv4 address or be configured to utilise private IP.
The public IP address does not have to be added to the list of authorised network addresses, and it is not need to be accessible from any external address.

Cloud SQL Auth Proxy startup options

When you launch it, the following information is provided:

  • Which Cloud SQL instances should I connect to in order for them to wait for data provided to Cloud SQL from my application?
  • Where can it find the login information required to use Cloud SQL to validate your application?
  • If required, what kind of IP address to use.
  • It will use the starting options you provide to determine whether to listen on a Unix socket or a TCP port. If it is listening on a Unix socket, it creates the socket at the provided location, which is often the /cloudsql/ directory. By default, the Cloud SQL Auth Proxy is listening on localhost for TCP traffic.

Use a service account for authentication.

You must use this Proxy to authenticate as a Cloud SQL IAM identity in order to authorise connections to a Cloud SQL instance.

The advantage of utilising a service account for this purpose is that you can create a credential file specifically for the Cloud SQL Auth Proxy. As long as production instances aren't running on a Compute Engine instance, using a service account is OK.

If you need to use this from many machines, you can duplicate the credential file into a system image.

To utilise this method, you must create and maintain the credential file. Only users with the resourcemanager.projects.setIamPolicy permission which includes project owners may create a service account. If your Google Cloud user does not have this permission, you will need to obtain someone else to create the service account or find another way to authenticate this.

News Source : Cloud SQL Auth Proxy
Tags:

Post a Comment

0 Comments