We are trying to migrate a GCE DB instance residing in Project-A / VPC-A, to an existing Cloud SQL instance residing in Project-B / VPC-B that has private IP only.
Best answer by guillaume blaquiere
In fact, when you have a private IP on a Cloud SQL instance, Google creates a peering between the VPC A and the Cloud SQL managed by google world
In project B, to access to VPC A, you need to create another peering. And there is a golden roule in VPC peering with GCP: the peering is not transitive. Which mean:
if A → B and B → C, a CAN’T reach C because of lack of transitivity
Use public IP without authorized network and Cloud SQL proxy for that. I know, the security teams hate that, and I’m fighting everyday to teach them!!
You can also use a dirty hack. Instead of peering between VPC A and VPC B, you can create a VPN. It’s more expensive, but it solves your issue ;)