This page describes AlloyDB for PostgreSQL connectivity options and helps you choose the option that best suits your workload, network topology, and secure connectivity requirements. For more information, see the Connection overview.
In this document you learn the following:
- What kind of network setup to use with AlloyDB.
- How to connect securely.
- Connection best practices.
- How your workload location affects your connectivity requirements.
Recommended connectivity options
Use the following table to learn recommended connectivity options for your workloads:
- Whether direct connections, or Language Connectors or the Auth Proxy, are recommended for private IP (private services access or Private Service Connect) and public IP.
- Connection requirements like Serverless Virtual Private Clouds (VPC) Access Connector, and Direct VPC Egress. For more information, see Compare Direct VPC egress and VPC connectors | Cloud Run Documentation.
- Considerations for private IP—private services access versus Private Service Connect—and public IP.
Assess your workload
Before you choose a connectivity option, assess your workload. AlloyDB supports connectivity for your workload environment for the following:
- Cloud Run, Cloud Shell, and non-Google SaaS products
- Cloud Functions v2
- App Engine flexible environment and App Engine standard environment
- Google Kubernetes Engine and Compute Engine
- On-premises setups
| Workload environment | Private IP | Public IP | Description | ||
|---|---|---|---|---|---|
| Direct | Connector | Direct | Connector | ||
| Cloud Shell | ❌ | ❌ | ❌ | ✅ | Cloud Shell requires public IP. |
| Cloud Run, Cloud Functions v2 | ✅ | ✅ | ❌ | ✅ | Requires Serverless VPC Access Connector, or Direct VPC Egress. |
| App Engine Standard, Flex | ✅ | ✅ | ❌ | ✅ | Requires Serverless VPC Access Connector. |
| GKE, Compute Engine | ✅ | ✅ | ✅ | ✅ | We recommend that you use private IP. Use private services access when you don't require transitive VPC Peering. Otherwise, use Private Service Connect. |
| On-premises | ✅ | ✅ | ✅ | ✅ | Private IP requires a network path from on-premises to the target instance. Public IP with Language Connectors or with the Auth Proxy is a secure alternative that doesn't require extensive network setup. |
Best practices for connectivity based on your workload
When you connect to AlloyDB, consider the following based on your workload environment.
Cloud Shell
- Use the Auth Proxy with public IP to connect with Cloud Shell. Cloud Shell doesn't support connecting to a VPC. It has no connectivity to private services access or Private Service Connect instances. In addition, Cloud Shell doesn't have a stable outbound IP address for use in Authorized Networks.
Cloud Run and Cloud Functions v2
- For private IP, both direct and Language Connectors or the Auth Proxy must use Direct VPC egress.
- For public IP, you must use Language Connectors or the Auth Proxy.
App Engine standard environment and App Engine flexible environment
- Use a Serverless VPC Access Connector for private IP, regardless of whether you're using a Language Connector or the Auth Proxy.
- For public IP, you must use Language Connectors or the Auth Proxy.
GKE and Compute Engine
- You can use both direct connections and Language Connectors or the Auth Proxy for connecting to AlloyDB.
On-premises
- You can use both direct connections and Language Connectors or the Auth Proxy for connecting to AlloyDB. The Language Connectors and Auth Proxy don't create a network path. Make sure that there is a network path between your workload and the AlloyDB instance.
Assess your secure connectivity needs
Language Connectors or the Auth Proxy for AlloyDB provide enhanced security features like
IAM integration and mTLS,
but these features require additional
setup. Direct connections, while encrypted by default, don't support client
certificates or higher SSL modes—verify-ca and verify-full. We recommend that you use Language Connectors
or the Auth Proxy with
public IP and that you use direct connections for private IP only when
Language Connectors or the Auth Proxy isn't feasible.
| Encrypted connection | IAM authentication | IAM authorization | mTLS | |
|---|---|---|---|---|
| Direct connection | ✅ | ✅ | ❌ | ❌ |
| Language Connectors or the Auth Proxy | ✅ | ✅ | ✅ | ✅ |
Best practices for secure connectivity
- When you create a cluster, you must specify a private IP interface so that the cluster can be created. If you want to use public IP, we recommend that you choose Private Service Connect as the private IP interface.
- Use Language Connectors or the Auth Proxy for security features like IAM authorization and authentication, and mTLS, even though they require some setup. For example, this approach is well-suited if you want to run the Auth Proxy as a sidecar or you want to use a Language Connector. If you use Language Connectors or the Auth Proxy, your database connection might experience a small increase in latency.
- Use direct connections for optimal performance, and when Language Connectors
or the Auth Proxy
isn't feasible. Direct connections are encrypted by default
(
sslmode=require), but they don't have support for client certificates or higher SSL modes. Only use direct connections when Language Connectors or the Auth Proxy can't be used.
Assess your network topology
For network topology, we recommend that you use private services access for AlloyDB connections. Use Private Service Connect to avoid transitive peering issues with multiple VPCs. Public IP is suitable for connections from non-Google Cloud SaaS products, especially when private IP is impractical.
| Multi-VPC connections | Non-Google SaaS clients | Supports on-premises connections | Description | |
|---|---|---|---|---|
| Private services access | ❌ | ❌ | ✅ | Transitive VPC connectivity isn't supported by default. You can run a socks5 proxy manually for cross-VPC connectivity, but this approach is complex. |
| Private Service Connect | ✅ | ❌ | ✅ | Provides the simplest configuration when you want to connect to AlloyDB from more than one VPC. |
| Public IP | ✅ | ✅ | ✅ | To avoid having to identify the source workload's CIDR ranges for Authorized Networks, public IP is best paired with the Language Connectors or the Auth Proxy. |
Best practices for connectivity based on your network topology
- Default to private services access.
- When you're dealing with multiple VPCs (VPCs), use Private Service Connect to circumvent transitive peering issues.
- For non-Google Cloud SaaS products, choose a public network topology when you're integrating with Software-as-a-Service (SaaS) products that aren't hosted on Google Cloud, especially if private IP connectivity isn't feasible. Private IP is enabled by default, so you must explicitly configure public IP in these scenarios.
- Whenever possible, use the Language Connectors or the Auth Proxy when you use Public IP to achieve a secure connection without having to configure Authorized Networks.
What's next
- Create and connect to a database.
- Connection overview.
- Connect through Cloud VPN or Cloud Interconnect.