GCP Guide

This guide covers using Isolate with Google Cloud Platform resources. Isolate integrates deeply with GCP services to provide secure, audited access to CloudSQL databases, AlloyDB clusters, and GKE clusters.

Overview

Isolate on GCP leverages native Google Cloud services for authentication, networking, and infrastructure provisioning. All database instances are provisioned with private IPs in your VPC, accessible through Identity-Aware Proxy (IAP) tunnels for secure connectivity.

GCP Integration Features

  • CloudSQL Instances: PostgreSQL databases provisioned from production backups
  • AlloyDB Clusters: High-performance PostgreSQL-compatible database service
  • GKE Cluster Access: Audited kubectl access with session recording
  • Identity-Aware Proxy: Zero-trust network access without VPNs
  • Private Service Access: Secure database connections through private IPs
  • BigQuery Audit: All SQL queries and K8s commands logged for compliance

CloudSQL Instances

Creating from Backups

Database instances are created from pg_dump backups stored in Google Cloud Storage. When you create an instance:

  1. Select a backup source from the available GCS buckets
  2. Choose databases to restore from that backup
  3. Set TTL (time-to-live) for automatic cleanup (default: 24h, max: 72h)
  4. Select tier based on your performance needs (db-f1-micro to db-custom-16-104448)

Provisioning typically takes 5-10 minutes. The instance progresses through states: pendingprovisioningrestoringready

Snapshots

Create point-in-time snapshots using CloudSQL's on-demand backup feature. Snapshots are useful for:

  • Saving your work before making risky changes
  • Creating checkpoints during development
  • Quick rollbacks if something goes wrong

To create a snapshot, go to your instance details page and click Create Snapshot. Snapshots typically complete within 2-3 minutes and can be restored instantly.

Refresh Options

The refresh feature allows you to re-import the original backup without reprovisioning the CloudSQL instance. This is useful when you want to start fresh with the original data. You can choose:

  • Environment: Which backup environment to restore from
  • Service: Specific service's database to refresh
  • Mode: Full reset (drops all databases and recreates)

GKE Cluster Access

K8s Proxy

All Kubernetes access goes through an auditing proxy that logs every API call and records TTY sessions. The architecture looks like:

kubectl → IAP Tunnel → K8s Proxy VM → GKE Cluster

To connect to a cluster:

  1. Run isolate k8s clusters to see available clusters
  2. Run isolate k8s connect <cluster-name>
  3. Export the generated kubeconfig: export KUBECONFIG=~/.isolate/kubeconfig-<cluster-name>.yaml
  4. Use kubectl normally: kubectl get pods

Session Recording

All kubectl exec sessions are recorded as asciinema v2 files and stored in Google Cloud Storage. You can view recordings in the web UI at /k8s/recordings. Sessions expire after 1 hour and require reconnection.

Connectivity

Identity-Aware Proxy (IAP) Tunneling

IAP provides secure access to your databases and proxy VMs without exposing them to the public internet. The CLI automatically sets up IAP tunnels when you connect to instances:

gcloud compute start-iap-tunnel isolate-proxy 5432 \ --local-host-port=localhost:5432 \ --zone=us-central1-a

Prerequisites for IAP tunneling:

  • gcloud CLI installed and authenticated
  • Your account has iap.tunnelInstances.accessViaIAP permission
  • The target VM has enable-oslogin metadata enabled

Cloud SQL Proxy

While Isolate's auditing proxy is recommended, you can also use the official Cloud SQL Proxy for direct connections. However, this bypasses audit logging:

cloud_sql_proxy -instances=PROJECT:REGION:INSTANCE=tcp:5432

Direct psql Connection

After establishing a tunnel, connect with any PostgreSQL client:

# Via Isolate's auditing proxy (recommended) isolate connect <instance-id> psql -h localhost -p 5432 -U isolate -d mydb # Or direct connection (no audit logging) psql "sslmode=require host=<private-ip> user=isolate dbname=mydb"

Troubleshooting

Instance Stuck in Provisioning

If an instance is stuck in the provisioning state for more than 15 minutes:

  1. Check the provisioning logs on the instance details page
  2. Verify the Pulumi stack state in Cloud Console
  3. Check CloudSQL quotas in your project
  4. Contact a DevOps team member if the issue persists

IAP Tunnel Failures

If IAP tunneling fails with permission errors:

  • Ensure you're authenticated: gcloud auth login
  • Verify IAP permissions: gcloud projects get-iam-policy PROJECT-ID
  • Check if the proxy VM is running: gcloud compute instances list
  • Verify firewall rules allow IAP traffic (130.211.0.0/22, 35.235.240.0/20)

Database Connection Issues

Common database connectivity problems and solutions:

  • Connection timeout: Check if Private Service Access is configured correctly
  • SSL errors: Use sslmode=require in your connection string
  • Authentication failed: Copy connection details from the instance page
  • Database not found: Verify the database was included in the original backup

GKE Access Issues

If kubectl commands fail or hang:

  • Check if your K8s session has expired (1-hour limit)
  • Verify the GKE cluster is in "Running" state
  • Ensure your Google account has GKE access permissions
  • Try reconnecting: isolate k8s connect <cluster-name>

Quota and Billing Issues

CloudSQL and GKE have various quotas that may impact provisioning:

  • CloudSQL instances per project: Default 100, can be increased
  • Persistent disk SSD storage: Regional quotas apply
  • CPU cores: Regional quotas for CloudSQL and GKE
  • IP addresses: VPC has limited private IP ranges

Check quotas in the GCP Console and request increases if needed.