Overview
Follow the steps below to create a Cloud SQL instance with Private Service Connect (PSC) enabled within Google Cloud.Create using Terraform
What’s Created
- Necessary APIs enabled
- VPC with firewall rule
- Private Service Access (PSA) enabled with IP reserved
- Cloud SQL PostgreSQL Instance with Private Service Connect (PSC) enabled
Prerequisites
Software Requirements: GCP Account Requirements:- Google Cloud Platform (GCP) account with billing enabled.
- Deploy resources in the same region as your Control Plane workload.
Step 1 - Clone Control Plane Terraform
- This repository contains Terraform modules for provisioning GCP infrastructure that integrates with Control Plane via Private Service Connect.
Step 2 - Create Configuration File
- Create a
terraform.tfvars
file in the root of the cloned repository.terraform.tfvars
Step 3 - Deploy Infrastructure
- Run the Terraform with your configuration:
- The Terraform will automatically provision all necessary resources and output your service attachment.
- For more information, refer to the repository README
Create using the GCP Console
Prerequisites
- Google Cloud Platform (GCP) account.
- Install the latest Google Cloud CLI.
- Existing GCP project
- Enable the following APIs in your GCP project:
SQL Admin
Compute Engine
Service Networking
Step 1 - Create a VPC
- Navigate to
VPC Networks
and selectCreate VPC Network
. - Name the VPC, enable the necessary firewall rules for your intended use and click
Create
.A subnet is not required for PSC with Cloud SQL. Cloud SQL lives in Google’s managed data center and the VPC is only required for using a private IP, routing, and firewall rules.
Step 2 - Create Cloud SQL
- Navigate to
SQL
and selectCreate Instance
. - Choose your database engine (ex. PostgreSQL).
- Select your preferred SQL edition.
- Name your SQL instance and choose a secure password.
Ensure the region selected in the Cloud SQL matches the region in your Control Plane workload. If the regions are not the same, the Private Service Connection will fail.
- Scroll to the bottom of the page and click
Show Configuration Options
to drop down more options. - Select the
Connections
tab, disable Public IP and enable Private IP. - Enable Private Service Access (PSA)
- Under Private IP, a drop down should appear to configure PSA.
- Choose your VPC and select
Set up connection
. - You can allocate an IP range by either automatically allocating or by selecting your own range
- Select
Continue
andCreate Connection
- Once the connection is created you can create your instance
Private Service Connect enablement is not currently supported in the GCP console. After the instance is created, you must edit the Cloud SQL instance using the CLI.
Edit existing Cloud SQL Instance
The following steps will show how to enable Private Service Connect with the allowed consumer project for Control Plane in an existing Cloud SQL instance.Prerequisites
- Cloud SQL created with private IP only (no public IP)
- Private Service Access (PSA) enabled with reserved IP (required when using private IP only)
Step 1 - Verify current project using the CLI
Ensure you are in the correct project before patching the Cloud SQL instance.Step 2 - Patch the Cloud SQL instance
Use thegcloud
CLI to edit the Cloud SQL instance. When patching the Cloud SQL instance, you must specify the allowed consumer project id(s) that will be used to consume the instance.
Use the following gcloud
command:
If you need to change the allowed consumer projects in the future, use the same command and omit the
---enable-private-service-connect
flag.- You can find your service attachment in the console under
Connections
for your Cloud SQL instance.
Next Steps
- Contact support@controlplane.com with your service attachment and region.
- Control Plane will use this to create the consumer-side endpoint connection.
When using Cloud SQL, there is no manual required acceptance for new connections created by specified allowed consumer projects.
- Proceed to follow the Native Networking Setup in Control Plane.