Connecting to Private AlloyDB instance from application running on GKE Autopilot

1. Overview

In this lab, you will deploy a two-tier microservice with a pod running on GKE Autopilot and connecting it to a private instance of AlloyDB database. Customer Service application is part of Cymbal Eats system and provides functionality to manage registered users. Customer Service application is a Java based microservice that uses the Quarkus framework.


AlloyDB supports network connectivity through private, internal IP addresses configured for private services access.

Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google Cloud VPC network where your AlloyDB resources (clusters and instances) reside. The private connection enables resources in your VPC network to communicate with the AlloyDB resources they access exclusively by using internal IP addresses. The resources in your VPC network don't need Internet access or external IP addresses to reach AlloyDB resources.


What is GKE Autopilot?

GKE Autopilot is a mode of operation in GKE in which Google manages your cluster configuration, including your nodes, scaling, security, and other preconfigured settings. Autopilot clusters are optimized to run most production workloads, and provision compute resources based on your Kubernetes manifests. The streamlined configuration follows GKE best practices and recommendations for cluster and workload setup, scalability, and security. For a list of built-in settings, refer to the Autopilot and Standard comparison table.

What is AlloyDB?

A fully managed PostgreSQL-compatible database service for your most demanding enterprise database workloads. AlloyDB combines the best of Google with one of the most popular open-source database engines, PostgreSQL, for superior performance, scale, and availability.

What you will learn

In this lab, you will learn how to do the following:

  • Create private instance of AlloyDB database
  • Deploy an application on GKE Autopilot cluster that connects to AlloyDB instance


  • This lab assumes familiarity with the Cloud Console and Cloud Shell environments.
  • Prior GKE and AlloyDB experience is helpful but not required.

2. Setup and Requirements

Cloud Project setup

  1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.




  • The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can update it at any time.
  • The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference the Project ID (it is typically identified as PROJECT_ID). If you don't like the generated ID, you may generate another random one. Alternatively, you can try your own and see if it's available. It cannot be changed after this step and will remain for the duration of the project.
  • For your information, there is a third value, a Project Number which some APIs use. Learn more about all three of these values in the documentation.
  1. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab shouldn't cost much, if anything at all. To shut down resources so you don't incur billing beyond this tutorial, you can delete the resources you created or delete the whole project. New users of Google Cloud are eligible for the $300 USD Free Trial program.

Environment Setup

Activate Cloud Shell by clicking on the icon to the right of the search bar.


Clone the repository and navigate to the directory, copy and paste command below into the terminal and hit Enter:

git clone && cd cymbal-eats/customer-service

Deploy required dependencies by running the

Following resources will be created:

  • AlloyDB cluster and instance
  • Artifact Registry to store container images for Cloud Run Job and Customer Service
  • VPC Access connector for Cloud Run Job to communicate with AlloyDB database
  • Cloud Run Job to create AlloyDB database
  • GKE Autopilot cluster

If prompted to authorize, click "Authorize" to continue.


The setup will take about 10 minutes. Review the setup script that is used to create required dependencies.

Wait until the script is done and you see the output below before running the next steps.

Job [db-job] has successfully been created.

To execute this job, use:
gcloud beta run jobs execute db-job
OK Creating execution... Done.               
  OK Provisioning resources...
Execution [db-job-k94ps] has successfully started running.

3. Application Deployment

Review AlloyDB cluster

Run the command below to review created AlloyDB instance:

gcloud alloydb instances describe customer-instance --cluster=customer-cluster --region=us-central1

Sample output:

createTime: '2023-01-06T14:40:07.213288293Z'
instanceType: PRIMARY
  cpuCount: 2
name: projects/cymbal-eats-20056-16671/locations/us-central1/clusters/customer-cluster/instances/customer-instance
- zoneId: us-central1-f
  queryPlansPerMinute: 5
  queryStringLength: 1024
  recordApplicationTags: true
  recordClientAddress: true
reconciling: false
state: READY
uid: df90d57d-88df-49be-a626-6dfec0513e64
updateTime: '2023-01-06T14:49:40.907977843Z'
  zoneId: us-central1-b

Explore available features(Query Insight, Monitoring) in the console.


Review GKE Autopilot cluster

Set Project environment variables:

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='value(projectNumber)')
export PROJECT_NAME=$(gcloud projects describe $PROJECT_ID --format='value(name)')

Part of the initial setup, cluster was created using command below (You don't need to run this command):

gcloud container clusters create-auto $CLUSTER_NAME --region $REGION

Run the command to view created GKE Autopilot cluster:

gcloud container clusters list

Sample output:


Run the command to store credentials for the cluster:


gcloud container clusters get-credentials $CLUSTER_NAME --region=$REGION

Deploy an application

Next you will deploy a Customer Service application.

Customer Service application is a java based microservice that uses the Quarkus framework.

Navigate to cymbal-eats/customer-service folder and run the commands to build and upload container image:

./mvnw clean package -DskipTests


gcloud builds submit --tag $CUSTOMER_SERVICE_IMAGE .

Open Cloud Build in the console to review details for the latest build.


Set environment variable below using the value of AlloyDB Private IP address:

export DB_HOST=$(gcloud beta alloydb instances describe customer-instance \
    --cluster=customer-cluster \
    --region=$REGION \
    --format=json | jq \
    --raw-output ".ipAddress")

echo $DB_HOST

Run the commands below to create Kubernetes secrets object to store database credentials that will be used by the Customer Service application to connect to the database:


kubectl create secret generic gke-alloydb-secrets \
  --from-literal=database=$DB_NAME \
  --from-literal=username=$DB_USER \
  --from-literal=password=$DB_PASSWORD \

Run the command to replace CUSTOMER_SERVICE_IMAGE in the deployment.yaml file:

sed "s@CUSTOMER_SERVICE_IMAGE@$CUSTOMER_SERVICE_IMAGE@g" deployment.yaml.tmpl > customer-service-deployment.yaml

Run the command to deploy the application:

kubectl apply -f customer-service-deployment.yaml

It will take a few moments for the application to transition to RUNNING state.

Run the command to create external IP that will be used in the test steps:


kubectl expose deployment $SERVICE_NAME \
  --type LoadBalancer --port 80 --target-port 8080

Run the command to verify created resources:

kubectl get all

Sample output:


4. Test application

Run the commands below to save Customer Service URL.

kubectl get svc

Set the environment variable below using the value of External IP from the previous output.

CUSTOMER_SERVICE_URL=$(kubectl get svc customer-service -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')

Run the commands below to create a new customer record:

-H 'Content-Type: application/json' \
-d '{"id": "id1","rewardPoints": 3,"address": "1845 Denise St","city": "Mountain View","createDateTime": "2022-11-11T15:56:45.487566","email": "","name": "Angela Jensen","state": "CA","updateDateTime": "2022-11-11T15:56:45.866125","zip": "94043"}'

Run the command above multiple times to generate log messages that you will view in the Logs Explorer later.

Review Customer Records

Run the commands below to view the created customer record.

curl $CUSTOMER_SERVICE_URL/customer | jq

Sample output:

    "address": "1845 Denise St",
    "city": "Mountain View",
    "createDateTime": "2023-01-06T16:13:19.118744",
    "email": "",
    "id": "id1",
    "name": "Angela Jensen",
    "rewardPoints": 3,
    "state": "CA",
    "updateDateTime": "2023-01-06T16:13:19.118896",
    "zip": "94043"

Review GKE Workloads and Services

Open Kubernetes Engine in Cloud Console and review created Workloads and Services.



Application Logs

Open Logs Explorer and search for logs that contain "Customer already exists" text.


5. Congratulations!

Congratulations, you finished the codelab!

What we've covered:

  • How to create private instance of AlloyDB database
  • How to deploy an application on GKE Autopilot cluster that connects to AlloyDB instance

What's next:

Explore other Cymbal Eats codelabs:

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Deleting the project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.