# 错误：拨号 tcp 10.0.0.4:3306：连接被拒绝——Cloud Run 在没有 VPC 连接器的情况下无法通过私有 IP 访问 Cloud SQL

- **ID:** `cloud/gcp-cloud-run-egress-connection-refused`
- **领域:** cloud
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

无服务器模式下的 Cloud Run 无法直接访问 VPC 网络上的资源；需要 Serverless VPC Access 连接器才能将流量路由到 Cloud SQL 等私有 IP 端点。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Cloud Run (fully managed) gcloud 474.0.0 | active | — | — |
| Cloud SQL for MySQL 8.0 | active | — | — |
| gcloud CLI 474.0.0 | active | — | — |

## 解决方案

1. ```
   Create a Serverless VPC Access connector in the same VPC and region as Cloud SQL, then attach it to the Cloud Run service: `gcloud compute networks vpc-access connectors create my-connector --region=us-central1 --network=default --range=10.8.0.0/28` and `gcloud run deploy my-service --vpc-connector my-connector`
   ```
2. ```
   Alternatively, use Cloud SQL Auth Proxy sidecar in Cloud Run by building a custom container that runs the proxy and your app, connecting via Unix socket at /cloudsql/INSTANCE_CONNECTION_NAME.
   ```

## 无效尝试

- **** — Adding public IP to Cloud SQL and allowing 0.0.0.0/0 is insecure and often blocked by organizational policy; it also doesn't resolve the VPC routing issue. (95% 失败率)
- **** — Simply adding the Cloud SQL connection string to the Cloud Run environment variable does not create the network path; it only configures the client. (90% 失败率)
- **** — Enabling 'Direct VPC Egress' on Cloud Run without a connector still doesn't route to private IPs; it only allows outbound traffic to the internet through the VPC. (70% 失败率)