Kubernetes
Cloud SQL
Proxy Connection
Database Integration
Cloud Infrastructure

Cloud SQL connection for Kubernetes using proxy

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

The standard way to connect a Kubernetes workload to Cloud SQL without exposing raw database credentials everywhere is to run the Cloud SQL Auth Proxy next to the application. Your app talks to localhost, and the proxy handles secure authenticated traffic to the Cloud SQL instance.

Why the Proxy Pattern Works

The proxy solves several operational problems at once:

  • it encrypts traffic to Cloud SQL
  • it handles IAM-based authentication mechanics
  • it removes the need for the app to know public IP details
  • it gives your app a simple local TCP endpoint

From the application's point of view, the database is often just:

text
127.0.0.1:5432

or:

text
127.0.0.1:3306

depending on whether you are using PostgreSQL or MySQL.

Run the Proxy as a Sidecar

In Kubernetes, the common design is a sidecar container inside the same Pod as the application. That lets both containers share the Pod network namespace, so the app can connect to the proxy over localhost.

The proxy itself can be run directly like this:

bash
cloud-sql-proxy --port 5432 my-project:us-central1:orders-db

If that command succeeds, any PostgreSQL client on the same machine can connect through the proxy:

bash
psql "host=127.0.0.1 port=5432 dbname=appdb user=appuser"

That command-line flow is useful for proving the connection model before you put it into Kubernetes.

A Typical Pod Layout

Your Pod usually contains:

  • the application container
  • the Cloud SQL Auth Proxy sidecar
  • credentials or workload identity configuration

A simplified deployment looks like this:

yaml
1apiVersion: apps/v1
2kind: Deployment
3metadata:
4  name: orders-api
5spec:
6  replicas: 1
7  selector:
8    matchLabels:
9      app: orders-api
10  template:
11    metadata:
12      labels:
13        app: orders-api
14    spec:
15      containers:
16        - name: app
17          image: orders-api:latest
18          env:
19            - name: DB_HOST
20              value: 127.0.0.1
21            - name: DB_PORT
22              value: "5432"
23        - name: cloud-sql-proxy
24          image: cloud-sql-proxy-image
25          args:
26            - "--port=5432"
27            - "my-project:us-central1:orders-db"

The important idea is not the exact image tag. It is that the proxy listens inside the Pod, and the app connects to the loopback address.

Authentication Options

The modern preference on GKE is workload identity so you do not mount long-lived service account keys into Pods. If that is not available, teams sometimes fall back to a Kubernetes secret containing service account credentials.

Whichever approach you choose, the identity needs permission to connect to Cloud SQL. The proxy does not remove the need for authorization; it just centralizes how the connection is made.

This separation is useful because your application code can stay database-focused while the platform layer owns cloud authentication.

Application Configuration

Once the sidecar is running, application code is ordinary database code. Example with Python and PostgreSQL:

python
1import os
2import psycopg
3
4conn = psycopg.connect(
5    host=os.environ["DB_HOST"],
6    port=os.environ["DB_PORT"],
7    dbname="appdb",
8    user="appuser",
9    password="secret",
10)
11
12with conn.cursor() as cur:
13    cur.execute("select 1")
14    print(cur.fetchone())

Nothing in this code needs to know Cloud SQL instance names or Google-specific network details. That is the benefit of the proxy abstraction.

Troubleshooting Checklist

If the connection fails, debug in this order:

  1. Confirm the proxy container started
  2. Inspect proxy logs
  3. Verify the instance connection name
  4. Verify the Pod identity has Cloud SQL client permissions
  5. Confirm the app is connecting to localhost, not the Cloud SQL public address

A lot of failures are not database problems at all. They are identity problems, wrong instance names, or the app accidentally pointing at the wrong host.

When the Proxy Is a Good Fit

The sidecar proxy is especially useful when:

  • several services need a consistent connection pattern
  • you want to avoid embedding cloud networking details in app code
  • your cluster already has a clear identity model
  • operational teams want one standard approach across languages

It is less compelling only when you already have another secure connector model that the platform standardizes on.

Common Pitfalls

  • Pointing the application at the Cloud SQL IP instead of the local proxy port.
  • Forgetting to grant the Pod identity permission to connect.
  • Treating the proxy as a replacement for normal database credentials and authorization inside the database itself.
  • Assuming the proxy fixes connection pool exhaustion. It secures transport, but pool sizing is still your job.
  • Debugging the app first instead of checking whether the proxy container is healthy.

Summary

  • In Kubernetes, Cloud SQL is commonly accessed through the Cloud SQL Auth Proxy sidecar pattern.
  • The app connects to 127.0.0.1, while the proxy handles secure authenticated traffic to Cloud SQL.
  • Workload identity is usually cleaner than storing service account keys in secrets.
  • Most setup bugs come from identity, instance naming, or wrong host configuration.
  • Once the proxy is in place, application code can use ordinary database clients and connection strings.

Course illustration
Course illustration

All Rights Reserved.