Cloudsql access from ai-platform job

Question

Google has nice ways to connect to cloudsql from other google services but I cannot see how to connect from ai-platform jobs. As part of our training job, we need to update our cloudsql db with metrics but the only I could get it to work is by whitelisting all IPs (don't want that!) in the cloudsql and connecting via the public IP. I don't see an option to add cloud-sql-proxy to the trainer instance. Since the IP of the trainer instance is dynamic, we cannot reliably add specific IP address to whitelist. Any other ways to handle this?

Answer 1

It looks like AI Platform supports VPC peering, so you should be able to connect to Cloud SQL using private IP.

Since Cloud SQL also uses VPC peering, you'll likely need to do the following to get the resources to connect:

1. Create a VPC to share (or use the "default" VPC)
2. Follow the steps here to setup VPC peering for AI Platform in your VPC.
3. Follow the steps here to setup a private IP for your instance in your VPC.
4. Since the resources are technically in different networks, you may need to export custom routes (Step #2) to allow the AI platform access to your Cloud SQL instance.

Alternatively to using private IP, you could keep using public IP w/ an IP allowlist coupled with Authorizing with SSL/TLS certificates. This still isn't as secure as using the proxy or private IP (as users are technically able to connect to your instance), but they'll be unable to interact with the database engine without the correct certificates.

Answer 2

Can you publish a PubSub message from within your training job and have it trigger a cloud function that connects to the database? AI Platform training seems to have IAM restrictions that I too am curious how to control.