Error: dial tcp 10.0.0.4:3306: connect: connection refused — Cloud Run cannot reach Cloud SQL via private IP without VPC Connector
ID: cloud/gcp-cloud-run-egress-connection-refused
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Cloud Run (fully managed) gcloud 474.0.0 | active | — | — | — |
| Cloud SQL for MySQL 8.0 | active | — | — | — |
| gcloud CLI 474.0.0 | active | — | — | — |
Root Cause
Cloud Run in serverless mode cannot directly access resources on a VPC network; a Serverless VPC Access connector is required to route traffic to private IP endpoints like Cloud SQL.
generic中文
无服务器模式下的 Cloud Run 无法直接访问 VPC 网络上的资源;需要 Serverless VPC Access 连接器才能将流量路由到 Cloud SQL 等私有 IP 端点。
Official Documentation
https://cloud.google.com/run/docs/configuring/connecting-vpcWorkarounds
-
95% success Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector`
Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector`
-
85% success Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME.
Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME.
中文步骤
Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector`
Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME.
Dead Ends
Common approaches that don't work:
-
95% fail
Adding public IP to Cloud SQL and allowing 0.0.0.0/0 is insecure and often blocked by organizational policy; it also doesn't resolve the VPC routing issue.
-
90% fail
Simply adding the Cloud SQL connection string to the Cloud Run environment variable does not create the network path; it only configures the client.
-
70% fail
Enabling 'Direct VPC Egress' on Cloud Run without a connector still doesn't route to private IPs; it only allows outbound traffic to the internet through the VPC.