Cloud SQL connection for Kubernetes using proxy
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The standard way to connect a Kubernetes workload to Cloud SQL without exposing raw database credentials everywhere is to run the Cloud SQL Auth Proxy next to the application. Your app talks to localhost, and the proxy handles secure authenticated traffic to the Cloud SQL instance.
Why the Proxy Pattern Works
The proxy solves several operational problems at once:
- it encrypts traffic to Cloud SQL
- it handles IAM-based authentication mechanics
- it removes the need for the app to know public IP details
- it gives your app a simple local TCP endpoint
From the application's point of view, the database is often just:
or:
depending on whether you are using PostgreSQL or MySQL.
Run the Proxy as a Sidecar
In Kubernetes, the common design is a sidecar container inside the same Pod as the application. That lets both containers share the Pod network namespace, so the app can connect to the proxy over localhost.
The proxy itself can be run directly like this:
If that command succeeds, any PostgreSQL client on the same machine can connect through the proxy:
That command-line flow is useful for proving the connection model before you put it into Kubernetes.
A Typical Pod Layout
Your Pod usually contains:
- the application container
- the Cloud SQL Auth Proxy sidecar
- credentials or workload identity configuration
A simplified deployment looks like this:
The important idea is not the exact image tag. It is that the proxy listens inside the Pod, and the app connects to the loopback address.
Authentication Options
The modern preference on GKE is workload identity so you do not mount long-lived service account keys into Pods. If that is not available, teams sometimes fall back to a Kubernetes secret containing service account credentials.
Whichever approach you choose, the identity needs permission to connect to Cloud SQL. The proxy does not remove the need for authorization; it just centralizes how the connection is made.
This separation is useful because your application code can stay database-focused while the platform layer owns cloud authentication.
Application Configuration
Once the sidecar is running, application code is ordinary database code. Example with Python and PostgreSQL:
Nothing in this code needs to know Cloud SQL instance names or Google-specific network details. That is the benefit of the proxy abstraction.
Troubleshooting Checklist
If the connection fails, debug in this order:
- Confirm the proxy container started
- Inspect proxy logs
- Verify the instance connection name
- Verify the Pod identity has Cloud SQL client permissions
- Confirm the app is connecting to localhost, not the Cloud SQL public address
A lot of failures are not database problems at all. They are identity problems, wrong instance names, or the app accidentally pointing at the wrong host.
When the Proxy Is a Good Fit
The sidecar proxy is especially useful when:
- several services need a consistent connection pattern
- you want to avoid embedding cloud networking details in app code
- your cluster already has a clear identity model
- operational teams want one standard approach across languages
It is less compelling only when you already have another secure connector model that the platform standardizes on.
Common Pitfalls
- Pointing the application at the Cloud SQL IP instead of the local proxy port.
- Forgetting to grant the Pod identity permission to connect.
- Treating the proxy as a replacement for normal database credentials and authorization inside the database itself.
- Assuming the proxy fixes connection pool exhaustion. It secures transport, but pool sizing is still your job.
- Debugging the app first instead of checking whether the proxy container is healthy.
Summary
- In Kubernetes, Cloud SQL is commonly accessed through the Cloud SQL Auth Proxy sidecar pattern.
- The app connects to
127.0.0.1, while the proxy handles secure authenticated traffic to Cloud SQL. - Workload identity is usually cleaner than storing service account keys in secrets.
- Most setup bugs come from identity, instance naming, or wrong host configuration.
- Once the proxy is in place, application code can use ordinary database clients and connection strings.

