Only networks with IPv4 can be whitelisted to access Google Cloud SQL databases.
Cloud SQL Second Generation instances architecture is tightly coupled with Google Compute Engine infrastructure. IPv6 is supported on GCE only partially, so as soon GCE fully supports it, you can expect IPv6 support for Cloud SQL to follow suit shortly after.
Relevant: https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/8518246-support-ipv6
Related
I have a VPC called 'subnet-1' where I have 3 VM Instances and 1 SQL Instance (Postgresql to be precise). All of them with no Public IP, just Private IP. They are in a kubernetes cluster.
The requirement I have is to be able to connect to the VPC from my on-premise PC in order to use some SQLClient to connect to the PG and see the data, I have read about CloudVPN but don't know how to configure it to have what I want... does anyone of you ever done some configuration like that?
You can use Cloud VPN but that is a site-to-site VPN that requires supported routers and solid knowledge of routing, networking and VPNs.
Using third-party VPNs with Cloud VPN
For small businesses or home based developers that only need to connect a few users to a VPC, use an open source product like OpenVPN. Google Marketplace offers a deployable configuration for your project with a click configuration. Simple and easy to deploy.
Google Cloud Marketplace OpenVPN
In order to connect to Kubernetes Cluster from your on-premises networks you can use Cloud VPN. The configuration of Cloud VPN with the Cluster and On-Premise network is documented here.
I'm evaluating a move from Google Kubernetes Engine to Google Cloud Run, to improve cost and resource efficiency within our company. I'm also in the process of transitioning our workflows from monolithic PHP and Ruby apps to a more nimble Node.js setup, using MongoDB.
For a small organization like ours, I like the idea of managed services such as Google Cloud Run and MongoDB Atlas, however, I'm concerned about the security. In MongoDB Atlas, it seems the only real security measure is to whitelist IP, which I obviously don't have access to through Google Cloud Run.
I'm definitely not a network expert, so I'm wondering if anyone has any ideas for securely connecting Cloud Run to MongoDB Atlas, while still maintaining scalability. If I have to remain on GKE, so be it, I just want to know all of my options before I move forward.
IP whitelist - by its very nature, Google Cloud Run would seem to be anti-static-IP, so this seems to be a non-starter.
I evaluated items such as Cloud NAT and Cloud VPC Peering, but from what I can tell Cloud Run does not have access to the VPC, so it seems like this wouldn't help either.
Cloud Run and Cloud Function have the same underlying infrastructure. Cloud Function have the capability to be connected to a VPC. Thereby, Cloud Run will support a day this capability, I hope by the end of 2019.
If you can, I just recommend you to wait!
Update (October 2020): Cloud Run has now launched VPC egress feature that lets you configure a static IP for outbound requests through Cloud NAT. You can follow this step by step guide in the documentation to configure a static IP to connect to MongoDB Atlas.
So I've been looking into simplifying some of our project solutions and by the look of it, google cloud functions has the potential to simplify some of our current structure. The main thing I'm curious about is if GCF is able to connect to internal nodes in a Kubernetes cluster hosted in google cloud?
I'm quite the rookie on this so any input is greatly appreciated.
Google Cloud has a beta (as of this writing) feature called Serverless VPC Access that allows you to connect your serverless features (Cloud Functions, App Engine Standard) to the VPC network where your GKE cluster is. This would allow you to access private IPs of your VPC network from Cloud Functions.
You can read the full setup instructions but the basic steps are:
Create a Serverless VPC Access Connector (under the "VPC Network -> Serverless VPC Access" menu in the console)
Grant the cloud function's service account any permissions it will need. Specifically, it will at least need "Project > Viewer" and "Compute Engine > Compute Network User".
Configure the function to use the connector. (In the console, this is done in the advanced settings's "VPC Connector" field).
I have a Cloud MySQL instance which allows traffic only from whitelisted IPs. How do I determine which IP I need to add to the ruleset to allow traffic from my Kubernetes service?
The best solution is to use the Cloud SQL Proxy in a sidecar pattern. This adds an additional container into the pod with your application that allows for traffic to be passed to Cloud SQL.
You can find instructions for setting it up here. (It says it's for GKE, but the principles are the same)
If you prefer something a little more hands on, this codelab will walk you through taking an app from local to on a Kubernetes Cluster.
I am using Google Cloud Platform, so my solution was to add the Google Compute Engine VM instance External IP to the whitelist.
I'm comparing layer 7 HTTP(S) load balancers to use with Kubernetes on Google Cloud Platform.
GCP has their own managed service called Google Cloud Load Balancer.
Also popular to use with Kubernetes is Envoy, an open-source "cloud native" proxy that has many contributions from Google staff.
Is Google Cloud Load Balancer a managed version of Envoy? Perhaps just with some added integrations with GCP's CDN? If they are not actually the same, what are they key differences between the two options (beyond just that one is managed and the other is self-deployed)?
Right now the new version of Google Load Balancer uses Envoy proxy to handle advance traffic management (here)