This page describes how to create a Cloud SQL for MySQL instance.
For detailed information about all instance settings, see
Instance settings.
A newly-created instance has four system databases:
information_schema: Provides access to database metadata, information about the MySQL server.
mysql: The system schema. It contains tables that store information required by the MySQL server as it runs.
performance_schema: A feature for monitoring MySQL Server execution at a low level.
sys: Contains a set of objects that helps DBAs and developers interpret data collected by the performance schema.
The maximum number of instances you can have in a single project depends on the
network architecture
of those instances:
New SQL network architecture: You can have up to 1000 instances per project.
Old SQL network architecture: You can have up to 100 instances per project.
Using both architectures: Your limit will be somewhere between 100 and 1000,
depending on the distribution of your instances across the two architectures.
File a support case
to request an increase. Read replicas are counted as instances.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Roles required to select or create a project
Select a project: Selecting a project doesn't require a specific
IAM role—you can select any project that you've been
granted a role on.
Create a project: To create a project, you need the Project Creator role
(roles/resourcemanager.projectCreator), which contains the
resourcemanager.projects.create permission. Learn how to grant
roles.
To initialize the gcloud CLI, run the following command:
gcloudinit
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Roles required to select or create a project
Select a project: Selecting a project doesn't require a specific
IAM role—you can select any project that you've been
granted a role on.
Create a project: To create a project, you need the Project Creator role
(roles/resourcemanager.projectCreator), which contains the
resourcemanager.projects.create permission. Learn how to grant
roles.
On the Choose your database engine panel of the
Create an instance page, click Choose MySQL.
In the Choose a Cloud SQL edition section of the
Create a SQL Server instance page, select the Cloud SQL
edition for your instance: Enterprise or
Enterprise Plus.
Select the edition preset for your instance. To see the available
presets, click the Edition preset menu.
In the Instance info section, select the database version for your
instance. To see the available versions, click the Database version
menu.
If you select MySQL 8.0 and MySQL 8.0.35 or later
for the Minor version, then the
Enable automatic minor version upgrade
checkbox is automatically selected for your instance. If you don't
want to enable automatic version upgrade, then clear the checkbox.
If you select MySQL 8.0 and MySQL 8.0.34 or earlier for the
Minor version, then the Enable automatic minor version upgrade
checkbox isn't available.
The database version can't be edited after the instance has been
created.
In the Instance ID field of the Instance info pane, enter
an ID for your instance.
You do not need to include the project ID in the instance name. This is done automatically where
appropriate (for example, in the log files).
Set a password for the root user.
Although there's an option to set No password, this isn't
recommended for security reasons.
To see the password in clear text, click the Show password icon.
You can either enter the password manually or click Generate
to have Cloud SQL create a password for you automatically.
Optional: Configure a password policy for the instance as follows:
Select the Enable password policies checkbox.
Click the Set password policy button, set one or more of
the following options, and click Save.
Minimum length: Specifies the minimum number of characters that
the password must have.
Password complexity: Checks if the password is a
combination of lowercase, uppercase, numeric, and non-alphanumeric
characters.
Restrict password reuse: Specifies the number of previous
passwords that you can't reuse.
Supported only on Cloud SQL for MySQL 8.0 and later.
Disallow username: Prevents the use of the username in the password.
In the Choose region and zonal availability section, select the
region and zone for your instance. Region availability might be different
based on your Cloud SQL for MySQL edition. For more information, see
About instance settings.
Place your instance in the same region as the resources that
access it. The region you select can't be modified in the future. In most
cases, you don't need to specify a zone.
If you are configuring your instance for
high availability,
you can select both a primary and secondary zone.
The following conditions apply when the secondary zone is used during
instance creation:
The zones default to Any for the primary zone and
Any (different from primary) for the secondary zone.
If both the primary and secondary zones are specified, they must
be distinct zones.
In the Customize your instance section, update the settings for your
instance.
Click Show configuration option to display the groups
of settings. Then, expand the groups you want to review and customize settings.
A Summary of all the options you select is shown on the right.
Customizing these instance settings is optional. Defaults are assigned in
every case where no customizations are made.
The following table is a quick reference to instance settings. For more
details about each setting, see the
instance settings
page.
Setting
Notes
Machine type
Machine type
Select from Shared core or Dedicated core. For Shared core, each machine type
is classified by the number of CPUs
(cores) and amount of memory for your instance.
Cores
The number of vCPUs for your instance.
Learn more.
Memory
The amount of memory for your instance, in GBs.
Learn more.
Custom
For the Dedicated core machine type, instead of selecting a predefined configuration,
select the Custom button to create an instance with
a custom configuration. When you select
this option, you need to select the number of cores and amount of memory for your instance.
Learn more.
Data cache
Enable data cache
By default, the option to enable data cache is
selected automatically for Cloud SQL for MySQL Enterprise Plus edition instances.
If you don't want to enable data cache, then clear
the Enable data cache checkbox.
For more information about data cache,
see data cache.
Storage
Storage type
Determines whether your instance uses SSD or HDD storage.
Learn more.
Storage capacity
The amount of storage provisioned for the instance.
Learn more.
Enable automatic storage increases
Determines whether Cloud SQL automatically provides more storage
for your instance when free space runs low.
Learn more.
Encryption
Google-managed encryption
The default option.
Customer key-managed encryption key (CMEK)
Select
to use your key with Google Cloud Key Management Service. Learn more.
Connections
Private IP
Adds a private IP address for your instance. To enable connecting to the instance,
additional configuration is required.
Optionally, you can specify an allocated IP range for your instances to use for connections.
Expand Show allocated IP range option.
Select an IP range from the drop-down menu.
Your instance can have both a public and a private IP address.
Add the name for the new network and the Network address.
Learn more.
Allow Data API
By selecting this checkbox, you let authorized users to call the
Data API
to execute SQL statements on the instance. For instances with Private IP only,
this allows authorized users to call the Data API from the public internet.
Enable private path
By selecting this checkbox, you let other Google Cloud services, such as
BigQuery, access data in Cloud SQL and make queries against this data over
a private connection.
Enable Managed Connection Pooling
By selecting this checkbox, you enable Managed Connection Pooling for your instance. Managed Connection Pooling
lets you scale your workloads by optimizing resource utilization and connection latency
Cloud SQL instances using pooling and multiplexing. For more
information about Managed Connection Pooling, see
Managed Connection Pooling overview.
Security
Server certificate authority mode
Choose the type of certificate authority (CA) that signs the server certificate for
this Cloud SQL instance.
Learn more.
By default, when you create an instance in Google Cloud console, the instance uses the Google managed
internal certificate authority (GOOGLE_MANAGED_INTERNAL_CA), which is the per-instance CA option.
Automatic server certificate rotation
If you select either the Google-managed CAS certificate authority (CA)
(GOOGLE_MANAGED_CAS_CA) or the
customer-managed CAS internal certificate authority (CUSTOMER_MANAGED_CAS_CA)
option as the server CA mode for the instance, then you can choose whether to rotate the
server certificate for the instance automatically.
For more information about rotating Cloud SQL server certificates automatically,
see
Enable automatic server certificate rotation.
The window of time when you would like backups to start.
Learn more.
Choose where to store your backups
Select Multi-region for most use cases. If you
need to store backups in a specific region, for example, if there are regulatory reasons to do
so, select Region and select your region from the Location drop-down menu.
Choose how many automated backups to store
The number of automated backups you
would like to retain (from 1 to 365 days).
Learn more.
Enable point-in-time recovery
Enables point-in-time recovery and write-ahead logging.
Learn more.
Enable deletion protection
Determines whether to protect an instance against accidental deletion.
Learn more.
Enable retained backups after instance deletion
Determines whether automated and on-demand backups are retained after an instance is deleted.
Learn more.
Choose how many days of logs to retain
Configure write-ahead log retention from 1 to 7 days. The default setting is 7 days.
Learn more.
Maintenance
Preferred window
Determines a one-hour window when Cloud SQL can perform disruptive
maintenance on your instance. If you do not set the window, then
disruptive maintenance can be done at any time.
Learn more.
Order of updates
Your preferred timing for instance updates, relative to other
instances in the same project.
Learn more.
Flags
ADD FLAG
You can use database flags to control settings and parameters for
your instance.
Learn more.
Labels
ADD LABEL
Add a key and value for each label that you add. You use labels to help
organize your instances.
Don't include sensitive or personally identifiable information
in your instance name; it is externally visible.
You do not need to include the project ID in the instance name. This is done automatically where
appropriate (for example, in the log files).
If you are creating an instance for
high availability, you
can specify both the primary and secondary zones, using the --zone
and --secondary-zone parameters. The following conditions
apply when the secondary zone is used during instance creation or edit:
The zones must be valid zones.
If the secondary zone is specified, the primary must also be specified.
If the primary and secondary zones are specified, they must be distinct
zones.
If the primary and secondary zones are specified, they must belong to
the same region.
You can add more parameters
to determine other instance settings:
Enables the password policy when used. By default, the password policy
is disabled. When disabled using the --clear-password-policy
parameter, the other password policy parameters are reset.
Minimum length
--password-policy-min-length
Specifies the minimum number of characters that the password must have.
Password complexity
--password-policy-complexity
Enables the password complexity check to ensure that the password
contains one of each of these types of characters: lowercase, uppercase,
numeric, and non-alphanumeric. Set the value to
COMPLEXITY_DEFAULT.
Restrict password reuse
--password-policy-reuse-interval
Specifies the number of previous passwords that you can't reuse.
Supported only on Cloud SQL for MySQL 8.0 and
later.
Disallow username
--password-policy-disallow-username-substring
Prevents the use of the username in the password. Use
the --no-password-policy-disallow-username-substring
parameter to disable the check.
Connectivity
Managed Connection Pooling
--enable-connection-pooling
Enables Managed Connection Pooling
in the new instance. You can configure advanced Managed Connection Pooling
settings after your instance is created.
Note: This feature is only available for Cloud SQL Enterprise Plus edition
instances that are configured to meet Managed Connection Pooling
requirements.
Private IP
--network
--no-assign-ip (optional)
--allocated-ip-range-name (optional)
--enable-google-private-path (optional)
--network: Specifies the name of the VPC network you want
to use for this instance. Private services access must already be
configured for the network. Available only for the beta command
(gcloud beta sql instances create).
--no-assign-ip: Instance will only have a private IP
address.
--allocated-ip-range-name: If specified, sets a range name
for which an IP range is allocated. For
example, google-managed-services-default. The range name
should comply with RFC-1035 and be within 1-63 characters.
(gcloud alpha sql instances create).
--enable-google-private-path: If you use this parameter,
then you allow other Google Cloud services, such as
BigQuery, to access data in Cloud SQL and make queries
against this data over a private connection.
This parameter is valid only if:
You use the --no-assign-ip parameter.
You use the --network parameter to specify the name
of the VPC network that you want to use to create a private connection.
Data API Access
--data-api-access
Controls connectivity to the instance using
Data API. It's
disallowed by default. Set the value to ALLOW_DATA_API to
let users use the Data API to connect to the instance. For instances
configured with a private IP address only, authorized users can call the Data API on
the instance from the public internet. Set the value to
DISALLOW_DATA_API to disallow using the Data API.
Public IP
--authorized-networks
For public IP connections, only connections from authorized networks
can connect to your instance.
Learn more.
SSL Enforcement
--ssl-mode
--require-ssl
The ssl-mode parameter enforces the SSL/TLS enforcement
for the connections. For more information, see
Settings for
Cloud SQL for MySQL.
The require-ssl parameter determines whether SSL
connections over IP are enforced
or not. require-ssl is a legacy parameter.
Use ssl-mode instead.
For more information, see IpConfiguration.
Server CA mode
--server-ca-mode
The --server-ca-mode flag configures the type of
server certificate
authority (CA) for an instance. You can select one of the following
options:
GOOGLE_MANAGED_INTERNAL_CA: this is the default value.
With this option, an internal CA dedicated to each Cloud SQL
instance signs the server certificate for that instance.
GOOGLE_MANAGED_CAS_CA:
with this option, a CA hierarchy consisting of a root CA and subordinate
server CAs managed by Cloud SQL and hosted on
Google Cloud Certificate Authority Service (CA Service) is used.
The subordinate server CAs in a region sign the server certificates and
are shared across instances in the region.
This option is supported only on MySQL 8.0.30 and later.
CUSTOMER_MANAGED_CAS_CA:
with this option, you define the CA hierarchy and manage the rotation of
the CA certificates. You create a CA pool in CA Service in the same region of your instance. One of the CAs in the pool is used to sign the server certificate.
This option is supported only on MySQL 8.0.30 and later.
For more information, see Use a customer-managed CA.
Automatic server certificate rotation
--server-certificate-rotation-mode
The --server-certificate-rotation-mode flag configures the type of
server certificate rotation mode of the instance. You can select one of the following
options:
NO_AUTOMATIC_ROTATION: this is the default value.
With this option, there won't be no automatic server certificate rotation.
Server certificates must be rotated manually.
AUTOMATIC_ROTATION_DURING_MAINTENANCE:
With this option, automatic server certificate rotation is enabled
during Cloud SQL scheduled maintenance or self-service maintenance updates.
Requires server_ca_mode to be
GOOGLE_MANAGED_CAS_CA or CUSTOMER_MANAGED_CAS_CA.
Enforce the use of the new network
architecture for the instance upon creation.
Using this flag when you create an instance before
that project has been fully upgraded to the new network
architecture can lead to IP address overconsumption or
a failure to create instances if there aren't
sufficient IP addresses remaining in the allocated IP
range.
For more information, see
Upgrade an instance to the new network architecture and Allocate an IP address range.
Machine type and storage
Machine type
--tier
Used to specify a shared-core instance
(db-f1-micro
or db-g1-small).
For a custom instance configuration, use the --cpu or
--memory parameters instead. See
Custom instance configuration.
Storage type
--storage-type
Determines whether your instance uses SSD or HDD storage.
Learn more.
Storage capacity
--storage-size
The amount of storage provisioned for the instance, in GB.
Learn more.
Automatic storage increase
--storage-auto-increase
Determines whether Cloud SQL automatically provides more storage
for your instance when free space runs low.
Learn more.
Automatic storage increase limit
--storage-auto-increase-limit
Determines how large Cloud SQL can automatically grow storage.
Available only for the beta command
(gcloud beta sql instances create).
Learn more.
Data cache (optional)
--enable-data-cache
Enables or deactivates the data cache for instances. For more
information, see
data cache.
Automatic backups and high availability
High availability
--availability-type
For a highly-available instance, set to REGIONAL.
Learn more.
Secondary zone
--secondary-zone
If you're creating an instance for
high availability,
you can specify both the primary and secondary zones using the
--zone and --secondary-zone parameters. The
following restrictions apply when the secondary zone is used during
instance creation or edit:
The zones must be valid zones.
If the secondary zone is specified, the primary must also be specified.
If the primary and secondary zones are specified, they must be distinct
zones.
If the primary and secondary zones are specified, they must belong to
the same region.
Automatic backups
--backup-start-time
The window of time when you would like backups to start.
Learn more.
Retention settings for automated backups
--retained-backups-count
The number of automated backups to retain.
Learn more.
Binary logging
--enable-bin-log
Binary logging enables replication and point-in-time recovery.
Learn more.
Retention settings for binary logging
--retained-transaction-log-days
The number of days to retain binary logs for point-in-time recovery.
Learn more.
Point-in-time recovery
--enable-point-in-time-recovery
Enables point-in-time recovery and write-ahead logging.
Learn more.
Determines a one-hour window when Cloud SQL can perform
disruptive maintenance on your instance. If you don't set the window,
then disruptive maintenance can be done at any time.
Learn more.
Maintenance timing
--maintenance-release-channel
Your preferred timing for instance updates, relative to other
instances in the same project. Use preview for earlier
updates, and production for later updates.
Learn more.
Automatic minor version upgrade
Enable automatic minor version upgrade
--enable-auto-upgrade-minor-version
For MySQL 8.0 instances that you specify a minor version
of 8.0.35 or later, for example --database-version=MYSQL_8_0_35.
Enable automatic minor version upgrades
to the default minor version of Cloud SQL for MySQL 8.0 during each
regular scheduled maintenance update.
If you create your instance without specifying a minor version (--database-version=MYSQL_8_0),
then automatic minor version upgrades are enabled for your instance by default.
Custom SAN
Add a custom subject alternative name (SAN)
--custom-subject-alternative-names=DNS_NAMES
If you want to use a custom DNS name to connect to a Cloud SQL instance instead of using an IP address, then configure the custom subject alternative name (SAN) setting while creating the instance. The custom DNS name that you insert into the custom SAN setting is added to the SAN field of the server certificate of the instance. This lets you use the custom DNS name with hostname validation securely.
Before you can use the custom DNS name in your clients and applications, you must set up the mapping between the DNS name and the IP address. This is known as DNS resolution. You can add a comma-separated list of up to three custom DNS names to the custom SAN setting.
Note the automatically assigned IP address.
If you are not using the Cloud SQL Auth Proxy, you will use this address as the
host address that your applications or tools use to connect to the
instance.
resource "google_sql_database_instance" "mysql_pvp_instance_name" {
name = "mysql-pvp-instance-name"
region = "asia-northeast1"
database_version = "MYSQL_8_0"
root_password = "abcABC123!"
settings {
tier = "db-f1-micro"
password_validation_policy {
min_length = 6
complexity = "COMPLEXITY_DEFAULT"
reuse_interval = 2
disallow_username_substring = true
enable_password_policy = true
}
}
# set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
# use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
deletion_protection = false
}
Apply the changes
To apply your Terraform configuration in a Google Cloud project, complete the steps in the
following sections.
Set the default Google Cloud project
where you want to apply your Terraform configurations.
You only need to run this command once per project, and you can run it in any directory.
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
Environment variables are overridden if you set explicit values in the Terraform
configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also
called a root module).
In Cloud Shell, create a directory and a new
file within that directory. The filename must have the
.tf extension—for example main.tf. In this
tutorial, the file is referred to as main.tf.
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
If you are following a tutorial, you can copy the sample code in each section or step.
Copy the sample code into the newly created main.tf.
Optionally, copy the code from GitHub. This is recommended
when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
terraform init
Optionally, to use the latest Google provider version, include the -upgrade
option:
terraform init -upgrade
Apply the changes
Review the configuration and verify that the resources that Terraform is going to create or
update match your expectations:
terraform plan
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and entering yes
at the prompt:
terraform apply
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view
the results. In the Google Cloud console, navigate to your resources in the UI to make sure
that Terraform has created or updated them.
Delete the changes
To delete your changes, do the following:
To disable deletion protection, in your Terraform configuration file set the
deletion_protection argument to false.
deletion_protection = "false"
Apply the updated Terraform configuration by running the following command and
entering yes at the prompt:
terraform apply
Remove resources previously applied with your Terraform configuration by running the following
command and entering yes at the prompt:
terraform destroy
REST v1
Create the instance
This example creates an instance. Some optional parameters, such as
backups and binary logging are also included.
For a complete list of parameters for this call, see the
Instances:insert
page. For information about instance settings, including valid values for
region, see
Instance settings.
Don't include sensitive or personally identifiable information
in your instance ID; it is externally visible.
You do not need to include the project ID in the instance name. This is done automatically where
appropriate (for example, in the log files).
Before using any of the request data,
make the following replacements:
PROJECT_ID: your project ID
INSTANCE_ID: your instance ID
DATABASE_VERSION: the database version.
For example: MYSQL_8_4 or MYSQL_8_0_37. If
you don't specify a database version, the default database version is MYSQL_8_4.
REGION: the region
MACHINE_TYPE: your machine type
EDITION_TYPE: your Cloud SQL edition
DATA_CACHE_ENABLED: (optional) set to true to enable data cache for your instance
PRIVATE_NETWORK: specify the name of the Virtual Private Cloud (VPC) network that
you want to use for this instance. Private services access must already be configured for the
network.
AUTHORIZED_NETWORKS: For public IP connections, specify the connections from authorized
networks that can connect to your instance.
CA_MODE: specify a
certificate authority hierarchy
for the instance, either GOOGLE_MANAGED_INTERNAL_CA or GOOGLE_MANAGED_CAS_CA.
If you don't specify serverCaMode, then the default configuration is GOOGLE_MANAGED_INTERNAL_CA.
This feature is in Preview.
SERVER_CERTIFICATE_ROTATION_MODE: For automatic server certificate rotation for
your instance, specify AUTOMATIC_ROTATION_DURING_MAINTENANCE. If you don't specify
serverCertificateRotationMode, then the default configuration is
NO_AUTOMATIC_ROTATION.
DNS_NAMES: add a comma-separated list of up to three DNS names to the server certificate of your Cloud SQL instance. You can secure multiple DNS names with a single certificate. This feature is available in Preview and for CUSTOMER_MANAGED_CAS_CA instances only.
To set a password policy while creating an instance, include the passwordValidationPolicy object in the request.
Set the following parameters, as required:
enablePasswordPolicy: Enables the password policy when set to true.
To remove the password policy, you can use a PATCH
request with null as the value for enablePasswordPolicy.
In this case, the other password policy parameters are reset.
minLength: Specifies the minimum number of characters that
the password must have.
complexity: Checks if the password is a
combination of lowercase, uppercase, numeric, and non-alphanumeric
characters. The default value is COMPLEXITY_DEFAULT.
reuseInterval: Specifies the number of previous passwords that you can't reuse.
Supported only on Cloud SQL for MySQL 8.0 and later.
disallowUsernameSubstring: Prevents the use of the username in the password
when set to true.
You can use the sqlNetworkArchitecture field to enforce the use of the new network
architecture for the instance upon creation, even if the project isn't fully upgraded.
For more details about the new network architecture and its implications, see
Upgrade an instance to the new network architecture and Allocate an IP address range.
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances
This example creates an instance. Some optional parameters, such as
backups and binary logging are also included.
For a complete list of parameters for this call, see the
instances:insert
page. For information about instance settings, including valid values for
region, see
Instance settings
Don't include sensitive or personally identifiable information
in your instance ID; it is externally visible.
You do not need to include the project ID in the instance name. This is done automatically where
appropriate (for example, in the log files).
You can use the sqlNetworkArchitecture field to enforce the use of the new network
architecture for the instance upon creation, even if the project isn't fully upgraded.
For more details about the new network architecture and its implications, see
Upgrade an instance to the new network architecture and Allocate an IP address range.
Before using any of the request data,
make the following replacements:
PROJECT_ID: your project ID
INSTANCE_ID: your instance ID
DATABASE_VERSION: the database version.
For example: MYSQL_8_4 or MYSQL_8_0_37. If you don't specify
a database version, the default database version is MYSQL_8_4.
REGION: the region
MACHINE_TYPE: your machine type
EDITION_TYPE: your Cloud SQL edition
.
DATA_CACHE_ENABLED: (optional) set to true to enable data cache for your instance
PRIVATE_NETWORK: specify the name of the Virtual Private Cloud (VPC) network that
you want to use for this instance. Private services access must already be configured for the
network.
AUTHORIZED_NETWORKS: For public IP connections, specify the connections from authorized
networks that can connect to your instance.
CA_MODE: specify a
certificate authority hierarchy
for the instance, either GOOGLE_MANAGED_INTERNAL_CA or GOOGLE_MANAGED_CAS_CA.
If you don't specify serverCaMode, then the default configuration is GOOGLE_MANAGED_INTERNAL_CA.
This feature is in Preview.
SERVER_CERTIFICATE_ROTATION_MODE: For automatic server certificate rotation for your instance,
specify AUTOMATIC_ROTATION_DURING_MAINTENANCE. If you don't specify
serverCertificateRotationMode, then the default configuration is NO_AUTOMATIC_ROTATION.
DNS_NAMES: add a comma-separated list of up to three DNS names to the server certificate of your Cloud SQL instance. You can secure multiple DNS names with a single certificate. This feature is available in Preview and for CUSTOMER_MANAGED_CAS_CA instances only.
To set a password policy while creating an instance, include the passwordValidationPolicy object in the request.
Set the following parameters, as required:
enablePasswordPolicy: Enables the password policy when set to true.
To remove the password policy, you can use a PATCH
request with null as the value for enablePasswordPolicy.
In this case, the other password policy parameters are reset.
minLength: Specifies the minimum number of characters that
the password must have.
complexity: Checks if the password is a
combination of lowercase, uppercase, numeric, and non-alphanumeric
characters. The default value is COMPLEXITY_DEFAULT.
reuseInterval: Specifies the number of previous passwords that you can't reuse.
Supported only on Cloud SQL for MySQL 8.0 and later.
disallowUsernameSubstring: Prevents the use of the username in the password
when set to true.
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances
A write endpoint is a global domain name service (DNS) name that resolves to the
IP address of the current primary instance automatically. This endpoint redirects
incoming connections to the new primary instance automatically in case of a replica
failover or switchover
operation. You can use the write endpoint in a SQL connection string instead of
an IP address. By using a write endpoint, you can avoid having to make
application connection changes when a region outage occurs.
Replace the following variables before running the command:
INSTANCE_NAME: The name of the instance.
DATABASE_VERSION: The database minor version of the instance:
MYSQL_8_0_18,
MYSQL_8_0_26,
MYSQL_8_0_27,
MYSQL_8_0_28,
MYSQL_8_0_30,
MYSQL_8_0_31,
MYSQL_8_0_32,
MYSQL_8_0_33,
MYSQL_8_0_34,
MYSQL_8_0_35,
MYSQL_8_0_36,
MYSQL_8_0_37,
MYSQL_8_0_39,
MYSQL_8_0_40,
MYSQL_8_0_41,
MYSQL_8_0_42,
MYSQL_8_0_43,
MYSQL_8_0_44 (default minor version for MySQL 8.0), or
MYSQL_8_0_45.
If you specify MYSQL_8_0, the
default minor version is used.
If you don't specify this flag, then the default
major version, MYSQL_8_0, is used.
If you're creating a MySQL 8.0.35 or later instance,
then you can enable automatic minor version upgrades by specifying the
--enable-auto-upgrade-minor-version flag.
When you enable automatic minor version upgrades, your instance is upgraded
to the default minor version of Cloud SQL for MySQL 8.0 during its
regular scheduled maintenance update.
This flag isn't available for MySQL 8.0.34 and earlier versions.
Before using any of the request data, replace these variables:
project_id: The ID of the project.
instance_id: The name of the instance.
databaseVersion: The database version of the instance:
MYSQL_8_0_18,
MYSQL_8_0_26,
MYSQL_8_0_27,
MYSQL_8_0_28,
MYSQL_8_0_30,
MYSQL_8_0_31,
MYSQL_8_0_32,
MYSQL_8_0_33,
MYSQL_8_0_34,
MYSQL_8_0_35,
MYSQL_8_0_36,
MYSQL_8_0_37,
MYSQL_8_0_39,
MYSQL_8_0_40,
MYSQL_8_0_41,
MYSQL_8_0_42,
MYSQL_8_0_43,
MYSQL_8_0_44 (default minor version for MySQL 8.0), or
MYSQL_8_0_45.
If you specify MYSQL_8_0, as the version, then the
default minor version is used. If you don't specify the
databaseVersion flag, then the default major version,
MYSQL_8_0, is used.
Before using any of the request data, replace these variables:
project_id: The ID of the project.
instance_id: The name of the instance.
databaseVersion:
The database version of the instance:
MYSQL_8_0_18,
MYSQL_8_0_26,
MYSQL_8_0_27,
MYSQL_8_0_28,
MYSQL_8_0_30,
MYSQL_8_0_31,
MYSQL_8_0_32,
MYSQL_8_0_33.
MYSQL_8_0_34,
MYSQL_8_0_35,
MYSQL_8_0_36,
MYSQL_8_0_37,
MYSQL_8_0_39,
MYSQL_8_0_40,
MYSQL_8_0_41,
MYSQL_8_0_42,
MYSQL_8_0_43,
MYSQL_8_0_44 (default minor version for MySQL 8.0), or
MYSQL_8_0_45.
If you specify MYSQL_8_0, then the
default minor version is used. If you don't specify the
databaseVersion flag, then the default major version,
MYSQL_8_0, is used.
Database minor version for read replicas, clones, and PITR
When creating a read replica,
you can specify the database minor version of the read replica. By default, new
read replicas are created on the default minor version.
When cloning an instance,
the newly created instance has that same minor version as that of the source.
Determines memory and virtual cores available for your Cloud SQL
instance. Machine types are part of a machine series, and machine series
availability is determined by your Cloud SQL edition.
For Cloud SQL Enterprise Plus edition instances, Cloud SQL
offers predefined machine types for your instances in
the N2 and C4A
machine series.
For Cloud SQL Enterprise edition instances, Cloud SQL offers the
general purpose shared core, general purpose dedicated core,
and the N4 machine series.
If you require real-time processing, such as online transaction
processing (OLTP), make sure that your instance has enough memory to contain
the entire working set. However, there are other factors that can impact
memory requirements, such as number of active connections, and internal
overhead processes. Perform load testing to avoid performance
issues in your production environment.
When you configure your instance, select sufficient memory and vCPUs to handle
your needs, and scale up your instance as your requirements increase. A machine configuration
with insufficient vCPUs might lose its SLA coverage. For more information,
see Operational guidelines.
To learn more about the machine types and machine series available
for your Cloud SQL instance, see
Machine series overview.
Troubleshoot
Issue
Troubleshooting
Error message: The zone or region does not have sufficient
resources to handle the request at the moment.
The selected zone lacks capacity for the requested resources or
the VM type at the time of the instance creation request.
There might be simultaneous high operational demand in that specific
regional location at the time of request.
To resolve this issue, retry creating the instance
in another zone or retry creating the instance in the same zone that received
the error at a different time of day.
Error message: Failed to create subnetwork. Couldn't
find free blocks in allocated IP ranges. Please allocate new ranges for
this service provider.
There are no more available addresses in the allocated IP range. There
can be several possible scenarios:
The size of the allocated IP range for the private service connection
is smaller than /24.
The size of the allocated IP range for the private service connection
is too small for the number of Cloud SQL instances.
The requirement on the size of allocated IP range will be larger if
instances are created in multiple regions.
See allocated range size
To resolve this issue, you can either expand the
existing allocated IP range or allocate an additional IP range to the
private service connection. For more information, see
Allocate an IP address range.
If you used the --allocated-ip-range-name flag while creating
the Cloud SQL instance, you may only expand the specified IP range.
If you're allocating a new range, take care that the allocation doesn't
overlap with any existing allocations.
After creating a new IP range, update the vpc peering with the following
command:
If you're expanding an existing allocation, take care to increase only the
allocation range and not decrease it. For example, if the original allocation
was 10.0.10.0/24, then make the new allocation at least 10.0.10.0/23.
In general, if starting from a /24 allocation, decrementing the /mask by
1 for each condition (additional instance type group, additional region) is
a good rule of thumb. For example, if trying to create both instance type
groups on the same allocation, going from /24 to /23 is enough.
After expanding an existing IP range, update the vpc peering with
following command:
Error message: Failed to create subnetwork. Required
'compute.projects.get' permission for PROJECT_ID.
When you create an instance using with a Private IP address, a service
account is created just-in-time using the Service Networking API. If
you have only recently enabled the Service Networking API, then the
service account might not get created and the instance creation fails. In
this case, you must wait for the service account to propagate throughout
the system or manually add it with the required permissions.
Error message: More than 3 subject alternative names are not
allowed.
You're trying to use a custom SAN to add more than three DNS names to
the server certificate of a Cloud SQL instance. You can't add more
than three DNS names to the instance.
Error message: Subject alternative names %s is too long. The
maximum length is 253 characters.
Make sure that any DNS names that you want to add to the server
certificate of a Cloud SQL instance don't have more than 253
characters.
Error message: Subject alternative name %s is invalid.
Verify that the DNS names that you want to add to the server
certificate of a Cloud SQL instance meet the following criteria:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-06-11 UTC."],[],[]]
