We have this discussion in our office and can not come to a conclusion. So I am reaching out here for some advice.
We have a Google Cloud SQL running with no public IP. Google App engine from different App Engine project connect to this single cloud SQL by authorizing their service account.
There are no VPC setup between the projects. The apps are on google app engine standard environment. The instance's private IP is not used in the app projects.
The connections between the projects are made using the tutorial found here
https://cloud.google.com/sql/docs/mysql/connect-app-engine
creating an connection string as
mysql+pymysql://<db_user>:<db_pass>@/<db_name>?unix_socket=/cloudsql/<cloud_sql_instance_name>
The question is how does the traffic flow from other App Engine projects to this Cloud SQL instance?
Does the connect handshake go via the internet (ie outside Google's Network) or does google handles the traffic and routes it internally without the request ever going to the internet?
It would be a great help if any one can help answer these questions.
The answer to this actually varies depending on which version of App Engine you are using.
On older versions of App Engine Standard, the /cloudsql/ unix socket connected over an internal network directly to your instance.
On more recent versions of App Engine Standard, it uses a version of the Cloud SQL proxy to authenticate your connection to the instance via it's public IP. This is why the Connecting from App Engine page states your Cloud SQL instance must have a public IP.