Auto-activate for Cloud SQL gcloud commands, cloud-sql-proxy usage, or Cloud SQL connection strings. Google Cloud SQL expertise: fully managed PostgreSQL, MySQL, and SQL Server on GCP. Produces Cloud SQL instance configurations, connection patterns, backup strategies, and replication setups. Use when: provisioning Cloud SQL instances, configuring Auth Proxy connections, setting up read replicas, managing backups and PITR, or migrating to Cloud SQL. For higher performance PostgreSQL workloads see flow:alloydb. For GKE deployment patterns see flow:gke.
From flownpx claudepluginhub cofin/flow --plugin flowThis skill uses the workspace's default tool permissions.
references/connections.mdreferences/engines.mdSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Cloud SQL is Google Cloud's fully managed relational database service supporting PostgreSQL, MySQL, and SQL Server. It handles automated backups, replication, patching, high availability, and scaling — letting you focus on your application instead of database administration.
| Feature | Cloud SQL | AlloyDB |
|---|---|---|
| Engines | PostgreSQL, MySQL, SQL Server | PostgreSQL only |
| Storage | Attached SSD (up to 64 TB) | Disaggregated, log-based |
| Availability SLA | 99.95% (HA config) | 99.99% (regional) |
| Columnar engine | Not available | Built-in adaptive |
| ML embeddings | Manual setup | Native Vertex AI |
| Read scaling | Manual read replicas | Read pool (auto-managed) |
| Networking | Public IP or private IP | Private IP only (PSA required) |
| Cost | Lower entry cost | Higher, performance-optimized |
| Best for | General workloads, MySQL/SQL Server | High-performance PostgreSQL |
| Action | Command |
|---|---|
| Create instance | gcloud sql instances create NAME --database-version=POSTGRES_15 --tier=db-g1-small --region=REGION |
| Clone instance | gcloud sql instances clone SOURCE DEST |
| Restart instance | gcloud sql instances restart NAME |
| Patch/resize | gcloud sql instances patch NAME --tier=db-n1-standard-4 |
| Delete instance | gcloud sql instances delete NAME |
| Set maintenance window | gcloud sql instances patch NAME --maintenance-window-day=SUN --maintenance-window-hour=3 |
| Action | Command |
|---|---|
| Create database | gcloud sql databases create DBNAME --instance=INSTANCE |
| Create user | gcloud sql users create USERNAME --instance=INSTANCE --password=PASS |
| Connect via proxy | cloud-sql-proxy PROJECT:REGION:INSTANCE |
| Connect directly | gcloud sql connect INSTANCE --user=postgres --database=DBNAME |
| Create backup | gcloud sql backups create --instance=INSTANCE |
| List backups | gcloud sql backups list --instance=INSTANCE |
| Restore backup | gcloud sql backups restore BACKUP_ID --restore-instance=INSTANCE |
| Pattern | When to Use |
|---|---|
| Auth Proxy | Recommended default — handles IAM auth and TLS automatically |
| Private IP | GKE/GCE on same VPC — lowest latency, no proxy overhead |
| PSC (Private Service Connect) | Cross-project or cross-org access without VPC peering |
| Public IP + authorized networks | Legacy only — always enforce SSL, restrict to known CIDRs |
# Enable required APIs
gcloud services enable sqladmin.googleapis.com
gcloud services enable sql-component.googleapis.com
# Create a PostgreSQL instance with HA
gcloud sql instances create my-postgres \
--database-version=POSTGRES_15 \
--tier=db-n1-standard-4 \
--region=us-central1 \
--availability-type=REGIONAL \
--storage-type=SSD \
--storage-size=100GB \
--storage-auto-increase \
--backup-start-time=03:00 \
--enable-bin-log \
--maintenance-window-day=SUN \
--maintenance-window-hour=4 \
--no-assign-ip \
--network=projects/MY_PROJECT/global/networks/MY_VPC
# Connect via Auth Proxy
cloud-sql-proxy MY_PROJECT:us-central1:my-postgres --port=5432 &
psql "host=127.0.0.1 port=5432 dbname=mydb user=postgres"
PostgreSQL — Use POSTGRES_15 or POSTGRES_16. Supports pgvector, PostGIS, pg_stat_statements. Set max_connections conservatively; use PgBouncer for connection pooling.
MySQL — Use MYSQL_8_0. InnoDB only. innodb_buffer_pool_size defaults to 75% of instance RAM. Binary logging required for read replicas.
SQL Server — Use SQLSERVER_2022_STANDARD or ENTERPRISE. Always-on availability groups supported. Windows Authentication not available; use SQL Server auth or IAM.
# Enable automated backups with PITR
gcloud sql instances patch my-postgres \
--backup-start-time=03:00 \
--enable-bin-log \
--retained-backups-count=14 \
--retained-transaction-log-days=7
# On-demand backup
gcloud sql backups create --instance=my-postgres --description="pre-migration"
# Point-in-time restore (PostgreSQL/MySQL)
gcloud sql instances clone my-postgres my-postgres-restored \
--point-in-time="2025-06-15T14:30:00Z"
# Cross-region replica for disaster recovery
gcloud sql instances create my-postgres-replica \
--master-instance-name=my-postgres \
--region=us-east1
# Create read replica (same region)
gcloud sql instances create my-postgres-read \
--master-instance-name=my-postgres \
--region=us-central1
# Promote replica to standalone (for migrations)
gcloud sql instances promote-replica my-postgres-read
# List replicas
gcloud sql instances list --filter="masterInstanceName=my-postgres"
# Enable IAM database authentication
gcloud sql instances patch my-postgres \
--database-flags=cloudsql.iam_authentication=on
# Add IAM user (PostgreSQL)
gcloud sql users create user@example.com \
--instance=my-postgres \
--type=CLOUD_IAM_USER
# Enforce SSL
gcloud sql instances patch my-postgres \
--require-ssl
# Enable audit logging
gcloud sql instances patch my-postgres \
--database-flags=cloudsql.enable_pgaudit=on
Choose engine version, tier (machine type), and storage based on workload. For production, always use --availability-type=REGIONAL for HA with automatic failover. Size memory to fit the working dataset with ~30% headroom.
Prefer private IP over public IP. If using private IP, ensure a VPC exists and pass --network= and --no-assign-ip at creation time. Private IP cannot be added after creation without recreation. For cross-project access, use PSC instead of VPC peering.
Create the instance, then create databases and users. Use IAM database authentication over password auth when possible. Store passwords in Secret Manager.
Deploy the Cloud SQL Auth Proxy as a sidecar (GKE), standalone binary (GCE), or let Cloud Run handle it automatically with --add-cloudsql-instances. The proxy handles TLS and IAM authentication transparently.
Enable automated backups, set PITR retention, and configure maintenance windows during off-peak hours. Enable Query Insights for performance monitoring. Set up alerts for disk usage, CPU, and active connections.
For read-heavy workloads, create read replicas and update application connection strings to route read queries to replicas. For PostgreSQL, consider PgBouncer as a connection pool in front of both primary and replicas.
</workflow> <guardrails>--require-ssl and restrict --authorized-networks to known CIDRs--backup-start-time and --retained-backups-count at creation; enabling after the fact risks a gap--maintenance-window-day and --maintenance-window-hourBefore delivering configurations, verify:
--availability-type=REGIONAL for production HA--no-assign-ip --network=) or Auth Proxy is in place--require-ssl) if public IP exists--storage-auto-increase)Create a PostgreSQL 15 instance with HA, configure Auth Proxy, and connect a Python application:
# 1. Create instance
gcloud sql instances create app-postgres \
--database-version=POSTGRES_15 \
--tier=db-n1-standard-2 \
--region=us-central1 \
--availability-type=REGIONAL \
--storage-type=SSD \
--storage-size=50GB \
--storage-auto-increase \
--no-assign-ip \
--network=projects/my-project/global/networks/my-vpc \
--backup-start-time=02:00 \
--retained-backups-count=14 \
--enable-bin-log \
--retained-transaction-log-days=7 \
--maintenance-window-day=SAT \
--maintenance-window-hour=3 \
--database-flags=cloudsql.iam_authentication=on
# 2. Create database and user
gcloud sql databases create myapp --instance=app-postgres
gcloud sql users create myapp-user \
--instance=app-postgres \
--password="$(gcloud secrets versions access latest --secret=db-password)"
# 3. Grant IAM access for a service account
gcloud sql users create sa@my-project.iam \
--instance=app-postgres \
--type=CLOUD_IAM_SERVICE_ACCOUNT
# 4. Start Auth Proxy (local development)
cloud-sql-proxy my-project:us-central1:app-postgres --port=5432 &
Python connection string using the Auth Proxy (local) or Unix socket (Cloud Run):
# Via Auth Proxy (local dev / GCE)
DATABASE_URL = "postgresql+asyncpg://myapp-user:password@127.0.0.1:5432/myapp"
# Via Unix socket (Cloud Run — set INSTANCE_CONNECTION_NAME env var)
import os
INSTANCE = os.environ["INSTANCE_CONNECTION_NAME"] # project:region:instance
DATABASE_URL = f"postgresql+asyncpg://myapp-user:password@/myapp?host=/cloudsql/{INSTANCE}"
For detailed guides and code examples, refer to the following documents in references/:
gemini extensions install https://github.com/gemini-cli-extensions/cloud-sql-postgresql (also cloud-sql-mysql, cloud-sql-sqlserver)flow:alloydbflow:gke → Cloud SQL on GKE section