How to access Google Cloud SQL Proxy from App Engine from DotNet App

[George West]

How to access Google Cloud SQL Proxy from App Engine from DotNet Core App.

- I wrote a Web App using DotNet Core / ASP.NET

- I tested the app locally with My SQL and Google Cloud SQL Proxy

- I deployed the app to Google App Engine

**Question:**

Is there a copy of the Google SQL Proxy on the Flex / Custom VM where my app is deployed?

How to access it from .NET Core?

[Jordan (Cloud Platform Support)]

It is actually much easier to connect to your Cloud SQL instance from App Engine. Instead of using a proxy to connect, you can directly connect from your App Engine app securely with SSL using the IP, username, and password of your Cloud SQL instance. 

Alternatively, if you want to install the Cloud SQL proxy on all of your App Engine instances (Not recommended as App Engine is meant for fast scalable apps), you would need to build your own App Engine Flexible environment runtime. In this custom .NET runtime you would need to install the Cloud SQL proxy into a container, by adding in the 'gcr.io/cloudsql-docker/gce-proxy' image to your Dockerfile as shown in the Kubernetes example. 

[George West]

Hi

I did the following:

1- Took a copy of the Proxy (one for Linux and one for Windows) as part of the app

2- Marked the proxy with chmod as executable in the Docker file

3- when the .net app runs, it kills the old proxy tasks (if there), and start the proxy again.

4- The app then uses the proxy.

Not what I wanted but it worked

The only thing that I am not sure about is the SSL, to connect with SSL you will need, or I believe you will need to white-list external ip addresses, not sure why not the internal IPs?

On Tuesday, 21 March 2017 14:50:59 UTC-4, Jordan (Cloud Platform Support) wrote:

It is actually much easier to connect to your Cloud SQL instance from App Engine. Instead of using a proxy to connect, you can directly connect from your App Engine app securely with SSL using the IP, username, and password of your Cloud SQL instance. 

Alternatively, if you want to install the Cloud SQL proxy on all of your App Engine instances (Not recommended as App Engine is meant for fast scalable apps), you would need to build your own App Engine Flexible environment runtime. In this Hicustom .NET runtime you would need to install the Cloud SQL proxy into a container, by adding in the 'gcr.io/cloudsql-docker/gce-proxy' image to your Dockerfile as shown in the Kubernetes example. 

[Jordan (Cloud Platform Support)]

As noted in the documentation, connections that are made using the Cloud SQL Proxy or from App Engine are already encrypted by default whether you configure SSL for the instance or not. So you do not require an SSL cert in these cases. 

If your Cloud SQL instance is in the same project as the App Engine app that is making the connection, your App Engine application is already authorized to access the SQL instance. Therefore you do not need to authorize any additional networks or IPs. If you are connecting to a Cloud SQL instance located in a different project, you will need to authorize the App Engine app. 

Alternatively, you can force Only SSL connections to your instance (regardless of IP address), by following the SSL guide. Just make sure you supply the location of your SSL cert and key in your Dockerfile similar to how it is done again in Kubernetes so that the proxy starts with the SSL configuration. 

[George West]

Hi

I need more info about when MySQL and the App are running under the same project

Can I simply make a direct call to MySQL from the App engine without proxy, or white-listed IPs, or SSL

Just an internal ip address and user name and password?

[Jordan (Cloud Platform Support)]

You are correct, the easiest way to connect to your Cloud SQL instance from App Engine, as previously recommended, is to directly connect to it using the Cloud SQL instance's IP address. It is recommended though to include the SSL cert when making the connection if you plan on running your app from your local development environment. 

[Adriaan Stander]

Using the recommended way of connecting a .Net application running in App Engine Flexible .Net to SQL AppEngine Flex (all networks allowed to connect to MySql Instance with SSL) we saw many unauthenticated logon attempts that we assume have caused some of our connection issues recently.

Is there no better(More Secure) way to connect?

Can't we use Google Cloud SQL Proxy to rather connect and limit authorized networks using standard capability?

Its seems like only dotnetcore apps that are required to directly connect to it (MySQL GCLOUD)