I need encryption between Google App Engine Flexible and CloudSQL when both are connected to the same VPC and only using private IPs.
After reading Google documentation I don't have clear picture if I have to enable encryption in CloudSQL and use certificates through Cert Manager or is the traffic already encrypted by default inside the VPC?
Every bit of info is appreciated :)
CodePudding user response:
[EDIT: The question was edited after my original answer to specify App Engine Flexible instead of App Engine. I am leaving the details on Standard and adding details on Flexible]
For Cloud SQL Public IP access, Google App Engine Standard and Flexible implement the Cloud SQL Auth Proxy. Data is encrypted.
App Engine Standard: For Cloud SQL Private IP access, data is transferred entirely within Google's network using Serverless VPC Access. I do not know if Serverless VPC Access is encrypted.
App Engine Flexible: For Cloud SQL Private IP access, both the App Engine instance and the Cloud SQL instance must be in the same VPC network. Both services run on managed VMs. All VM to VM traffic is encrypted.
For public IP paths, App Engine Standard environment provides encryption and connects using the Cloud SQL Auth proxy through Unix sockets.
For private IP paths, your application will connect directly to your instance through Serverless VPC Access. This method uses TCP to connect directly to the Cloud SQL instance without using the Cloud SQL Auth proxy.
Reference:
App Engine Standard: Connect to Cloud SQL
For public IP paths, App Engine flexible environment provides encryption and connects using the Cloud SQL Auth proxy through Unix sockets.
App Engine Flexible: Connect to Cloud SQL
All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted.
Reference: