[theptip]

Last I checked it wasn't possible to whitelist internal IPs (e.g. Kubernetes nodes or VM instances) to access Cloud SQL instances at all -- the options are either to use the non-standard cloud SQL proxy sidecar app, or allow connections from all endpoints (public or private).

This seems like a major omission, and AWS has had this for ages.

[tarr11]

From the docs:

https://cloud.google.com/sql/docs/postgres/connect-external-...

> You can grant any application access to a Cloud SQL instance by authorizing the IP addresses that the application uses to connect.

> You can not specify a private network (for example, 10.x.x.x) as an authorized network.

> PostgreSQL instances support only IPv4 addresses. They are automatically configured with a static IP address.

[theptip]

Ah, misremembered exactly what the issue was -- you're right, individual endpoints can be whitelisted. Internal networks cannot, which is what I (or anyone else using GKE) would need, since node IPs are ephemeral.

I believe the same issue would apply to VM instances that are not pets, (in auto-scaling groups for example), since I'm not aware of being able to auto-assign static IPs there either.

[jordic]

there is also a thirth option. A small pod listening for node changes on k8api, that whitelists ips on cloudsql. I have been using this since two years ago.