GCP Private IP CloudSQL

1 - After following the steps in the page you provided, I was able to SSH into the NAT gateway VM instance.

I've run this command:

$ gcloud compute ssh nat-gateway --zone us-central1-a

2 - From that NAT gateway VM instance, I was able to SSH into the internal VM instance

$ gcloud beta compute ssh [INTERNAL_INSTANCE_NAME] --internal-ip

3 - From there, I was able to connect to the public Internet. I’ve ran the apt-get command. It worked for me.

If you follow the same steps as in the article, it should work.

If it still doesn’t work, then you should troubleshoot with the default networking commands such as traceroute to look at the hops that the packet is crossing.

There is no such thing, a Google Cloud SQL instance being part of the same VPC/Subnet as a Compute Engine instance isn't possible. Cloud SQL is a managed service, which means that Google owns the instance and the network it's connected to. As such it cannot be in one of your project's networks.

Also, Adding an address to the authorized network in Cloud SQL will only work for Public IP connectivity, Private IP is a different story.

In fact as explained here, if you need private connectivity, Cloud SQL will create a network peering between the SQL instance and the Compute Engine network(VPC) of your choice. This means that only the instances in that specific network will be able to reach Cloud SQL.

I would suggest going to the Cloud-SQL details page under 'Connections' tab, and check in-there which network you have associated (Right below 'Associated networking'). Then you just need to make sure that your client machine is part of that particular network(VPC). Also important your client subnet needs to be on the same region as your Cloud SQL instance.