Skip to main content

Cloud SQL for PostgreSQL

Recommendation
Updated
Moved
TRIAL
2022-04-25

What is it

Cloud SQL for PostgreSQL is a fully-managed database service that helps you set up, maintain, manage, and administer your PostgreSQL relational databases on Google Cloud Platform.

PostgreSQL also known as Postgres, is a free and open-source relational database management system (RDBMS).

Why we use it

We use this as an alternative to Cloud Spanner where multi-regional is not a necessity and where we don't want to manage a PostgreSQL database ourselves.

When to use it

When a relational or a nosql document database is needed, or when geospatial support is needed, for that case there is great extension called PostGIS.

How to learn it

Read Google Cloud documentation how to get started with their managed instance, see quick start.

PostgreSQL official web page includes very good documentation as well, see documentation or tutorial.

How to secure it

Here are some basic steps to run Cloud SQL securely:

  1. Enforce SSL/TLS for Cloud SQL incoming connections. This could be achieved with the following terraform snippet:

    resource "google_sql_database_instance" "main" {
    name = "main-instance"
    database_version = "POSTGRES_14"
    region = "us-central1"

    settings {
    tier = "db-f1-micro"
    ip_configuration {
    require_ssl = true
    }
    }
    }

    You could find other means to configure this option here.

  2. Use Cloud SQL proxy to access database instance, one of the following will suffice:

    • Follow this guide on how to setup Cloud SQL proxy.

    • For Cloud Run based services please follow this guide.

    • Language specific libraries/connectors with proxy support (Go, Python), so you don't need to run proxy yourself.

  3. Avoid publicly accessible Cloud SQL database instances:

    • To make Cloud SQL proxy work, Cloud SQL instance should have a public IP address configured (it is the default option), BUT it doesn’t have to have 0.0.0.0/0 amongst authorised networks.

    • Some (e.g. https://aquasecurity.github.io/tfsec/) static analysis security scanners for Terraform code would trigger an alert like this one.

    • But it is ok if Cloud SQL instance is not exposed by adding various “authorized” networks.

    • Having 0.0.0.0/0 amongst authorized networks is discouraged.

    • Please check this guide for more details on how to configure this option.