What is the name of the domain?
N/A
What is the error number?
N/A
What is the error message?
N/A
What is the issue you’re encountering
I’m seeing if it’s possible as a use case to connect to Google Cloud Platform hosted AlloyDB Clusters and Instance’s Private IP Addresses
What steps have you taken to resolve the issue?
Hi everyone, I was hoping you could help with a use-case we’re trying to understand. Some details below:
Background:
We’ve recently moved from using CloudSQL to AlloyDB hosted in Google Cloud Platform (as a service).
We have moved from using Public IP Addresses in our CloudSQL Instances to now using Private IP with our AlloyDB Clusters as it was a security risk.
We were previously able to connect to our CloudSQL Instances using Public IP Address and with the Google CloudSQL Proxy: About the Cloud SQL Auth Proxy | Cloud SQL for MySQL | Google Cloud
Since we’ve moved to AlloyDB, we’re currently using a using a Intermediary VM (Compute Engine VM in the same VPC as the AlloyDB Instances) and GCP IAP Tunneling to connect from our Developers machines to the AlloyDB Instances. The Intermediary VM we connect VIA IAP to the AlloyDB Clusters/Instances. We have 1 Intermediary VM per AlloyDB Cluster and the Intermediary VM is in the same Project and VPC as our AlloyDB Cluster following the below Documentation: Connect to a cluster from outside its VPC | AlloyDB for PostgreSQL | Google Cloud
This works as expected, however our Developer team would like to not jump through the Intermediary VM to get to the AlloyDB Clusters, which is the reason for me opening this ticket.
We already have a Cloudflare ZT VPN Tunnel running in a GKE Cluster in one of our Google Cloud Projects, which has access to the Kubernetes Clusters in other GCP Projects via their Public Endpoints. Is it possible to instead of using the Intermediary VM, use the Cloudflare ZT VPN Tunnel to connect to the Private IP addresses of our AlloyDB Clusters and Instances?
Caveats:
Tunnel is in project a
AlloyDB Clusters and Instances are in projects b, c and d.
VPC Peering is enabled from project a to projects b, c and d (both ways).
We have tried adding the Private IP Address to the Cloudflare Tunnel, however we don’t seem to get any connectivity.
This was more a question of the art of the possible, rather than actually getting it working.
Question 1:
Is this even possible?
Question 2:
If it is, will it work for us in our current setup? Or will it work only with a tunnel per GCP Project. i.e. GKE Cluster in project a, in VPC for project a, connecting to AlloyDB instance in project a, GKE Cluster in project b, in VPC for project b, connecting to AlloyDB instance in project b etc…
Any help for this would be greatly appreciated, thank you ! 
Chris