VM cannot connect to Cloud SQL

Google Cloud Compute Infrastructure
,
1

I’m trying to clean up my production infrastructure a bit but i am having possibly the worst time. Services i’m using:

  • Cloud SQL
  • Compute engine VMs to run my apps containers.

There’s some other stuff but doesn’t matter for now. I am trying to run two services split across 4 vms (2 each). Currently I am running the services as follows:

Subnet 1:
VM 1: running service 1 & 2
VM 2: running service 1 & 2

What I want to do is:

Subnet 1
VM 1: running service 1
VM 2: running service 1Subnet 2
VM 1: Running service 2
VM 2: Running service 2

However when I try to run service 2 in my new VMs the DB connection keeps timing out. I’ve spent the last 5-6 hours trying to debug this and it’s absolutely crucial to my small business.

What I’ve done so far:

  • Ensure firewall has a rule to allow traffic to db port 5432.

  • Pooled connections are allowed in the app.

  • Connection test in cloud sql is passing.

Can someone please advise. I don’t know what to do and a lot is on the line rightnow.

2

Hi** @MHFound **,

Welcome to Google Cloud Community!

I assume you already checked, but its not in your list. Does the service account for the new vm have authority/access to Cloud SQL API?

If you are using a custom service account, check that it has the proper permissions for it, if you are using the default CE service account set the access for Cloud SQL or all API’s (not recommended) in the Security and access part of the edit module of you VM

FrancoGP_0-1732482169597.png
FrancoGP_0-1732482169597.png1062×518 47.7 KB

1 Like
3

I have a customer having the same problem as you are. This is what I
recommended to them

  • In CloudSQL check the network, are you using private or public ip?
  • If you are using public IP make sure your VM Public Outgoing address is
    whitelisted
  • If you are using private IP, the RFC 1918 addresses are automatically
    whitelisted. But if your container or VM are using Privately used Public IP
    you still need to whitelist it in the authorized network settings
  • If you still can’t connect this is where gets interesting. Go to VPC
    Routes and check the routes of your VPC. You need to ensure that the
    servicenetworking-googleapis route is correctly imported/exported
  • In my customer’s case, the servicenetworking-googleapis imported two
    different routes. They needed to disable the import route in VPC Peering
    and they all set.

Regards
Izza

4

Thanks for the reply! Yes the service account I am using does have access to all the APIs.