Google Cloud SQL authorize Auto Scale Instance Groups

I have an instance group set up with Auto Scaling and Load Balancing. I'm also using Google Cloud SQL for the MySQL server.

Whenever instance group scales up and adds another instance, the instance gets a new IP address. The problem is that this instance no longer has access to the Google SQL instance (since the SQL instance requires authorized networks to be pre-configured). What can I do about this?

I'm currently accepting most IPs to my SQL server by adding the following IPs to the Authorized IPs in the SQL manager: 100.0.0.0/6 104.0.0.0/5 112.0.0.0/4


As already mentioned by @justbeez, I believe the best way to go is using second generation instances and Cloud SQL Proxy. In case this is not possible, first generation instances can be setup to only allow SSL connections and whitelisting any origin as explained here.

A more complex approach would be to create an instance template so that a startup-script runs at boot time and authorizes the instance IP address via gcloud. The IP could be removed in the same way at shutdown time.

The IP address of the GCE VM can be obtained from the metadata server

curl "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" -H "Metadata-Flavor: Google" 

If you're using a Second Generation Cloud SQL instance, you may want to consider using the Cloud SQL Proxy connection method: https://cloud.google.com/sql/docs/mysql-connect-proxy

In short, you install Cloud SQL proxy locally in your instances and it authenticates via a service account. You then connect to it similarly to how you would connect using a UNIX or TCP socket.

This requires a little setup, but doesn't require any IP whitelisting. Once you have it configured, you would just add that version to whatever auto-scaling template you're using.

Note: If you happen to be using Docker containers, they have a version of Cloud SQL Proxy wrapped in a Docker image that you can add to your pods as a service: https://cloud.google.com/sql/docs/mysql-connect-docker

(The only other option I can think of is to use the API to edit the whitelist in response to the autoscaling events.)