# Error: dial tcp 10.0.0.4:3306: connect: connection refused — Cloud Run cannot reach Cloud SQL via private IP without VPC Connector - **ID:** `cloud/gcp-cloud-run-egress-connection-refused` - **Domain:** cloud - **Category:** network_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause Cloud Run in serverless mode cannot directly access resources on a VPC network; a Serverless VPC Access connector is required to route traffic to private IP endpoints like Cloud SQL. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Cloud Run (fully managed) gcloud 474.0.0 | active | — | — | | Cloud SQL for MySQL 8.0 | active | — | — | | gcloud CLI 474.0.0 | active | — | — | ## Workarounds 1. **Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector`** (95% success) ``` Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector` ``` 2. **Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME.** (85% success) ``` Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME. ``` ## Dead Ends - **** — Adding public IP to Cloud SQL and allowing 0.0.0.0/0 is insecure and often blocked by organizational policy; it also doesn't resolve the VPC routing issue. (95% fail) - **** — Simply adding the Cloud SQL connection string to the Cloud Run environment variable does not create the network path; it only configures the client. (90% fail) - **** — Enabling 'Direct VPC Egress' on Cloud Run without a connector still doesn't route to private IPs; it only allows outbound traffic to the internet through the VPC. (70% fail)