从同时具有私有IP和公共IP的VM连接到私有IP上的Google Cloud SQL实例失败 [英] Connecting to Google Cloud SQL instance on private IP from a VM with both private and public IPs fails

问题描述

• 具有私有IP，Postgresql数据库的Cloud SQL实例
• 具有与SQL实例相同的VPC网络上具有一个公用IP和一个私有IP的VM(VM，SQL实例和VPC都在同一区域中)
• VM的服务帐户具有足够的Cloud SQL客户端/查看者权限
连接到SQL实例的VM上的
• SQL代理.我使用在某些文档中找到的-ip_address_types=PRIVATE参数运行它.

• Cloud SQL instance with private IP, Postgresql database
• A VM with one public IP and one private IP on same VPC network as the SQL instance is on (VM, SQL instance and VPC are all in the same region)
• VM has a service account with sufficient Cloud SQL client/viewer permissions
• SQL proxy on VM connecting to SQL instance. I run it with the -ip_address_types=PRIVATE argument I've found in some of the documentation.

用于重现使我感到困惑的状态的略简化的Terraform代码在这里: https://github.com/hallvors/gcp-network-issue-demo 要对此进行测试，请执行以下操作:

Slightly simplified Terraform code for reproducing the state that confuses me is here: https://github.com/hallvors/gcp-network-issue-demo To test this, do the following:

1. 创建一个新的一次性Google Cloud项目.
2. 为方便起见，您可以运行bootstrap.sh启用正确的服务(它将询问Google项目的ID，并假设您具有已登录并可以访问的gcloud客户端).
3. 在项目中创建一个服务帐户，为方便起见，使其成为所有者，然后将密钥文件保存在./local-secrets/google-project-credentials.json
中
4. 使用项目ID和服务帐户的电子邮件更新terraform.tfvars
5. terraform workspace new staging
6. terraform init
7. terraform apply

1. create a new throwaway Google Cloud project.
2. For your convenience, you can run bootstrap.sh to enable the right services (it will ask for the ID of the Google project and assume you have a gcloud client which is logged in and has access).
3. Create a service account in the project, just make it owner for convenience, and save a key file in ./local-secrets/google-project-credentials.json
4. Update terraform.tfvars with project ID and e-mail of service account
5. terraform workspace new staging
6. terraform init
7. terraform apply

完成Terraform后，您应该在项目中设置一个数据库和一个VM.

When Terraform is done, you should have a database and a VM set up in the project.

1. SSH进入虚拟机并运行sudo apt install postgresql-client-common postgresql-client
2. 查找数据库实例的IP地址
3. 运行此程序(根据需要修改详细信息)psql --host 10.167.0.3 -U gcp-network-issue-demo-staging-db-user gcp-network-issue-demo-staging-database

1. SSH into the VM and run sudo apt install postgresql-client-common postgresql-client
2. Look up the IP address of the DB instance
3. Run this (modify details as needed) psql --host 10.167.0.3 -U gcp-network-issue-demo-staging-db-user gcp-network-issue-demo-staging-database

会发生什么?

• 任何实际使用连接的尝试(例如来自psql客户端或db-migrate的尝试)都会超时
• 如果我从设置中删除了VM的公共IP地址，则可以正常连接.但是，我需要一个可公开访问的VM才能将其他服务连接到它.

我想念什么?

推荐答案

此问题的原因是我无法理解网络接口可以同时具有 公共IP和私有IP/网络.因此，我的代码为google_compute_instance设置了一个公共接口，为私有网络设置了一个接口:

The cause of this problem was me failing to understand that a network interface can have both public and private IPs/networks. So my code set up one interface for the public and one for the private network for the google_compute_instance:

  # Update VM needs a public IP
  network_interface {
    network = "default"
    access_config {
    }
  }

  network_interface {
    network    = var.network
    subnetwork = var.subnetwork
  }

现在，我仍然还不完全了解网络，但是您似乎无法(轻松地?)指定数据库连接尝试使用的接口，并且它不会自动选择正确的接口.该提交中的解决方法是在此提交中配置对专用网络和公用网络一对一接口的访问:

Now, I still don't fully understand networking but it appears you can not (easily?) specify what interface the database connection attempts should use and it does not automatically pick the right one. The fix is in this commit, configuring both access to the private network and the public one in one network interface:

https://github.com/hallvors/gcp-network -issue-demo/commit/ea14174c1087c89b92310b5b4913e12a4e17130d

这篇关于从同时具有私有IP和公共IP的VM连接到私有IP上的Google Cloud SQL实例失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！