You are writing an application that will run on Cloud Run and require a database running in the Cloud SQL managed service. You want to secure this instance so that it only receives connections from applications running in your VPC environment in Google Cloud. What should you do?
To secure the Cloud SQL instance so that it only receives connections from applications running in your VPC environment in Google Cloud, follow these steps: Create the instance with a specified internal (private) IP address to limit exposure to the internet. Choose the VPC with private service connection configured to ensure internal communication within the VPC. Configure the Serverless VPC Access connector in the same VPC network as your Cloud SQL instance to enable Serverless applications (like Cloud Run) to access resources in the VPC. Finally, connect to the instance using a connection pool to manage connections efficiently and enhance reliability. This method ensures secure and direct connections without needing a Cloud SQL Auth proxy, which is more suitable when dealing with public IP connections.
It's D, CloudSQL Auth proxy is not used when connecting to Private IP https://cloud.google.com/sql/docs/mysql/connect-run#configure https://cloud.google.com/sql/docs/mysql/connect-run#connection-pools
The Cloud SQL Auth proxy works with both public and private IP endpoints: https://cloud.google.com/sql/docs/mysql/connect-auth-proxy
D. Cloud Run to Cloud SQL connectivity can be done using private IPs. Eliminate A and B. C would be right except you wouldn’t use Cloud SQL Auth Proxy because Serverless VPC Access would connect directly to the Cloud SQL instance. The connection pool reference in D puts you off, but it is the right answer. The link provided by SVGoogle89 is spot on.
C is the correct answer Requirements for using the Cloud SQL Auth proxy To use the Cloud SQL Auth proxy, you must meet the following requirements: The Cloud SQL Admin API must be enabled. You must provide the Cloud SQL Auth proxy with Google Cloud authentication credentials. You must provide the Cloud SQL Auth proxy with a valid database user account and password. The instance must either have a public IPv4 address, or be configured to use private IP. The public IP address does not need to be accessible to any external address (it does not need to be added as an authorized network address).
Agree with chelbsik's point re. Cloud SQL Auth proxy not required with Cloud Run - vote D.
D. https://cloud.google.com/sql/docs/mysql/connect-run#private-ip_1
Option D. This link explicitly indicates that "For private IP paths, your application will connect directly to your instance through Serverless VPC Access. This method uses TCP to connect directly to the Cloud SQL instance without using the Cloud SQL Auth Proxy." https://cloud.google.com/sql/docs/mysql/connect-run#connect_to
C: Create your instance with a specified internal (private) IP address. Choose the VPC with private service connection configured. Configure the Serverless VPC Access connector in the same VPC network as your Cloud SQL instance. Use Cloud SQL Auth *** proxy to connect to the instance.
auth proxy isn't required with private serverless access, the connection pool increases reliability of the connection
https://cloud.google.com/sql/docs/mysql/connect-overview Configuring your instance with a private IP is preferred when connecting from a client on a resource with access to a VPC. For more information about what resources can use private IP, see Requirements for Private IP. For private IP paths, the following services and applications connect directly to your instance through Serverless VPC Access: App Engine standard environment App Engine flexible environment Cloud Functions Cloud Run
it's d, Auth proxy is not used when connecting to Private IP
https://cloud.google.com/sql/docs/mysql/connect-run#connect_to - said clearly that there is no need for Cloud SQL Auth Proxy when using with Cloud Run.
D: https://cloud.google.com/sql/docs/mysql/connect-run#connect
Going for D. "The Cloud SQL Auth proxy is a Cloud SQL connector that provides secure access to your instances without a need for Authorized networks or for configuring SSL." and in our scenario, we have a VPC.
not a great question, bot C and D are acceptable based on this google doc https://cloud.google.com/sql/docs/mysql/connect-run#best-practices
The Cloud SQL Auth proxy provides a secure connection between your application running on Cloud Run and the Cloud SQL instance. It handles authentication and encrypts traffic.
C Cloud SQL Auth Proxy can connect Cloud SQL instance with private ip by specifying --private-ip argument in same VPC. Cloud Run can run a container that gets the auth proxy installable files and run the auth proxy in cloud Run in same VPC.
correct answer is C - The Cloud SQL Auth proxy acts as a secure intermediary between your Cloud Run application and the Cloud SQL instance, allowing for secure and authenticated database connections while keeping the database inaccessible from the public internet.
Vote C
https://cloud.google.com/sql/docs/mysql/connect-auth-proxy "Works with both public and private IP endpoints"
C is correct.
D is the correct answer. A common misconception.
When using Cloud Run to connect to Cloud SQL Private IP addresses, it is unnecessary to use the SQL Auth Proxy in Private IP mode. The Serverless VPC Access Connector (which has been superceded by Cloud Run's direct VPC Egress) should connect directly and leverage a connection pooler (potentially in your application via client library, probably better as a separate instance) for more consistent connections to the Cloud SQL DB. You would create a specific "user" for this purpose in your database.
API Quota Limits Cloud Run provides a mechanism that connects using the Cloud SQL Auth Proxy, which uses the Cloud SQL Admin API. API quota limits apply to the Cloud SQL Auth Proxy. The Cloud SQL Admin API quota used is approximately two times the number of Cloud SQL instances configured by the number of Cloud Run instances of a particular service deployed at any one time. You can cap or increase the number of Cloud Run instances to modify the expected API quota consumed.
Selected Answer: C
cloud Run has built in SQL auth Proxy hence we dont need to it use it explicitly.
Correct answer is C.