Skip to content
All writing Part 03 of 09 · Reaching a Remote DB From Your Laptop
Engineering · 2 min read

Two Tunnels to a Remote DB: Cloud SQL Auth Proxy vs kubectl port-forward

Two ways to reach a remote DB on a local port: the Cloud SQL Auth Proxy (Admin API + IAM) and kubectl port-forward (kubeconfig). Same localhost outcome, different auth paths.

Same outcome, a local port → remote DB, via two different auth paths:

127.0.0.1:PORT local port remote DB Cloud SQL Auth Proxy Admin API + IAM kubectl port-forward kubeconfig / GKE creds
Two different auth paths, but the client always sees the native DB protocol on 127.0.0.1:PORT.
Cloud SQL Auth Proxykubectl port-forward
Formanaged Cloud SQL instancesany DB running in a k8s pod/svc
Addressed byproject:region:instancenamespace + svc/pod
Auth pathCloud SQL Admin API + IAM (ADC / service account)your kubeconfig (GKE creds)
Encryptionephemeral TLS tunnel to the instancetunnel via the k8s API server
Client seesplain localhost TCP (native wire protocol)same

The client always speaks the normal DB protocol to 127.0.0.1:PORT; the tunnel is transparent, the client doesn’t know there’s a layer in between.

From this session: Postgres / MySQL reached via cloud_sql_proxy (Admin API); ClickHouse lives in GKE, so it’s reached via a containerized kubectl port-forward, which is why only it needs a one-time gcloud container clusters get-credentials.

Two tunnels, different auth paths, but the client always sees the native DB protocol on 127.0.0.1:PORT.


References

Related: back to the remote DB overview; this tunnel lands you on the five coordinates at 127.0.0.1:PORT.

Tags #databases #gcp #kubernetes
// connect

Be brave | Be wise | Be grateful

21 BreakinCode

// elsewhere
LinkedInMedium (lang: en)Life RecordYoutube
wh:~$William Hung· © 2026 Taipei · GMT+8 · Available for collaboration