Audits
Consulting
Case Studies
Team
Content
Store

How to connect Cloud Run and Cloud SQL internally

Illustration of a person surfing a curved road among clouds with stylized hexagon logos for Azure DevOps and GitHub floating around. Illustration of a person surfing a curved road among clouds with stylized hexagon logos for Azure DevOps and GitHub floating around.

One of the most complex things in Google Cloud is understanding how the network works, and how services like Cloud Run that are not connected to any customer VPC can talk with components that are using a customer VPC.

To solve this issue there are two possible solutions. The first option is based on a public IP in Cloud SQL and after Cloud Run talks with this public IP. We need to remember that even with a public IP, this doesn’t mean that the connection from Cloud Run to Cloud SQL is leaving the Google network, sounds magical but packages will never leave Google.

The second way to do that is using an internal IP in the cloud SQL and connecting Cloud run to the database using this internal IP. Problem here is that as you know Cloud Run has no user VPC because is considered a serverless component, but, yes, an internal Google Cloud VPC invisible to us. Then to be able to connect the two components we need to create a Serverless VPC Connection via Private IP. It sounds complex but is actuallu simple and today we are going to learn how to do that.

But we are going to learn how to do that in a real environment, not in a fake laboratory. We are going to change a database with a Public IP connected to Cloud Run to use a private IP in our time tracking tool, Claimora.

Cloud Native consulting: regardless if you are just getting started, or looking for a big shift from the old ways to the future, we are here to help. About consulting

Let's start. The first thing that we are going to check is our Cloud Run application. As you can see this beautiful tool is deployed ideally and when we go to connections we will see that the Cloud SQL is there and that currently, we don’t have any VPC connector.

Screenshot of Google Cloud Platform interface showing a Cloud Run service deployment page with options for Cloud SQL connections and a VPC Connector configuration.

Now if we go to our Cloud SQL database we will see that this database is using a public IP to accept inbound connections and that is working in this way.

A screenshot of the Google Cloud Platform console showing an overview of a SQL database instance with CPU usage graph, public IP address, and configuration details like vCPUs, memory, and SSD storage.

And the last step is the serverless VPC access that we will use to connect our Cloud Run without user VPC with the Cloud SQL. If we click on create a connector, now we only need to give a name, the region where is located the sub-network that is using Cloud SQL, the VPC that Cloud SQL is using and now we choose a custom IP range, in our case 10.8.0.0/28

Screenshot of Google Cloud Platform interface showing the 'Create connector' page with form fields for configuring network details such as name, region, network, and subnet.

Now if we go back to our Cloud SQL and we edit, and then go to connections, click on private IP and choose our VPC, default in our case, unclick on public IP, save and wait more than 20 minutes our database will be now working with a public IP, simple.

Screenshot of the Google Cloud Platform interface, showing the 'Edit claiomra-database-staging' dialog with options for IP assignment and associated networking.

If we go back to Cloud Run and click on edit, we only need to go to connections, and in the VPC connector add the VPC connector that we created previously. After we deploy, the next step is to wait for our revision to be deployed in our service.

Screenshot of the Google Cloud Platform interface showing the deployment settings for a service with options for HTTP/2, Cloud SQL connections, and VPC Connector highlighted.

It's simple. We can open our page, stg.claimora.com, and, magically, everything is working. How beautiful is Claimora!

Screenshot of a time tracking web dashboard with headings 'Empleado' and 'Supervisor', displaying work schedule details for the date 2022-05-12, and options for logging hours.

Today we have learned how to connect a serverless component like Cloud Run with an element with a VPC and to do the magic we need a serverless VPC connector.

Here's the same article in video form for your convenience: