This page summarizes how to connect to databases served by AlloyDB for PostgreSQL using public IP.
You can configure your AlloyDB instance to have a public IPv4 address and optionally, accept connections from specific external IP addresses or a range of addresses, called authorized external networks. These authorized networks are only available when using public IP. You can't specify a private network as an authorized external network.
AlloyDB only supports inbound connections with public IP. You can configure your instance for outbound public IP connectivity using private IP and an intermediary virtual machine (VM). For more information about outbound connections, see Connect to a cluster from outside its VPC.
Create an AlloyDB instance
To create an instance with public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page, go to Instances in your cluster, and click Create primary instance.
Configure your primary instance:
- In the Instance ID field, enter an ID for your primary instance.
- Under Zonal availability, select one of the following options:
- To create a highly available production instance with automated failover, select Multiple zones (Highly available).
- To create a basic instance that does not need to be highly available, select Single zone.
- Select a machine type.
- Under Connectivity, select Enable Public IP.
- Optional: To configure SSL or connector requirements on the instance,
expand Advanced configuration options, then do the following:
- By default, AlloyDB instances require all connections to use SSL encryption. To allow non-SSL connections, clear the Only allow SSL connections checkbox.
- To require that all database connections to the instance use the AlloyDB Auth Proxy or the secure connector libraries provided by Google, select Require connectors.
- Optional: To restrict direct connections to specific IP addresses,
add a comma separated list of CIDR range:
- Under Authorized external networks, enter a comma separated
list of CIDR range. For each CIDR range, enter a CIDR block, such
as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
- Under Authorized external networks, enter a comma separated
list of CIDR range. For each CIDR range, enter a CIDR block, such
as
- Click Create instance.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
For more information about creating other instance types, see Create a read pool instance and Create a secondary instance.
Use the gcloud alloydb instances create command to create an instance.
gcloud alloydb instances create INSTANCE_ID \
--instance-type=PRIMARY \
--cpu-count=CPU_COUNT \
--region=REGION_ID \
--cluster=CLUSTER_ID \
--project=PROJECT_ID \
--assign-inbound-public-ip=ASSIGN_IPV4
Replace the following:
INSTANCE_ID: the ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CPU_COUNT: the number of vCPUs you want for the instance. Valid values include the following:2: 2 vCPUs, 16 GB RAM4: 4 vCPUs, 32 GB RAM8: 8 vCPUs, 64 GB RAM16: 16 vCPUs, 128 GB RAM32: 32 vCPUs, 256 GB RAM64: 64 vCPUs, 512 GB RAM96: 96 vCPUs, 768 GB RAM128: 128 vCPUs, 864 GB RAM
REGION_ID: the region where you want the instance placed.CLUSTER_ID: the ID of the cluster you created earlier.
Optional: Add authorized external networks
Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4 \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
CIDR_RANGE: a comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
Enable public IP on an instance
To enable public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Connectivity, select the Enable Public IP checkbox.
Optional: Under Authorized external networks, enter a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
For each CIDR range, enter a CIDR block, such as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
Optional: Add authorized external networks
Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4 \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
CIDR_RANGE: a comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
Disable public IP on an instance
When you disable public IP on your instance, AlloyDB removes the public IP address from your instance and clears the authorized networks list. Authorized external networks can only be used with public IP.
To disable public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Connectivity, clear the Enable Public IP checkbox.
Optional: Under Authorized external networks, delete the comma separated CIDR range, if.
Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=NO_PUBLIC_IP
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
Update the authorized external networks for an instance
You can update the list of authorized external networks on your instance at any time. Public IP must be enabled on your instance when updating the authorized external networks list.
Authorized external networks can't be added or removed individually, and the networks list is overridden each time the update list command is run. To update authorized external networks on your instance, you'll need to provide a comma-separated list of all authorized external networks each time you want to add or remove a network. Each authorized external network must be in CIDR format.
To update the list of authorized external networks on your instance, do the following:
Console
Go to the Clusters page
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Authorized external networks, enter a comma separated list of CIDR range. For each CIDR range, enter a CIDR block, such as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.CIDR_RANGE: comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
View public IP address and authorized external network for an instance
You can view the list of authorized external networks on your instance at any time and the
assigned public IP address using the gcloud alloydb instances
describe command.
To view the public IP address and list of authorized external networks, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
Go to the Instances in your cluster section.
You can find the Public IP resource that shows the public IP address and the Authorized External Networks resource that shows the authorized external network range, if configured.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
gcloud alloydb instances describe INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID
Replace the following:
INSTANCE_ID: ID of the instance you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
What's next
- Connection overview
- Organization policies and custom constraints
- Connect using the AlloyDB Auth Proxy
- Connect using AlloyDB Language Connectors