Connection overview

This page summarizes how to connect to databases served by AlloyDB for PostgreSQL:

  • Networking: AlloyDB instances use public or private IPs on a Virtual Private Cloud (VPC). Various techniques allow secure connections from applications running outside the VPC.

  • Authorization: The AlloyDB Auth Proxy lets you use Identity and Access Management (IAM) to control who has access to your data. Your VPC's firewall lets you further tune access to AlloyDB resources.

  • Authentication: Use standard PostgreSQL user-authentication techniques to log in to your instances. AlloyDB also supports IAM-based authentication using standard PostgreSQL user roles.

Networking

Even though an AlloyDB instance contains many nodes, your applications connect to an instance through a single, static IP address. This address can be either a private to the VPC that you specify when first setting up an instance's cluster, or a public IP that allows direct connections from outside of the VPC.

Private IP

When you configure AlloyDB with private IP, your instance gets a private IP address within your VPC.

Private IP addresses affect connections to your application in two ways:

  • Applications running elsewhere within your project's VPC can connect to the instance—or to a proxy representing the instance—without additional steps or resources.

    As an example, Connect a psql client to an instance shows how to connect to your AlloyDB instance by running the psql command-line program on a Compute Engine VM within your VPC.

  • Applications running outside the VPC require an intermediary service to connect to the AlloyDB instance. Solutions include running proxy services on a VM within the instance's VPC, or using other Google Cloud products to establish a permanent connection between your application and your VPC.

    For more information, see Connect to a cluster from outside its VPC.

Connections over private IP typically provide lower latency and limited attack vectors because they don't require traversing the internet.

To learn more about private IP in AlloyDB, see Private IP overview.

Public IP

When you configure AlloyDB with public IP, your instance gets a public IP address for inbound connections, that is accessible on the public internet. Optionally, you can use authorized external networks to specify a range of IP addresses in CIDR format that can access your instance.

We recommend using public IP with AlloyDB Language Connectors to ensure secure connections between the client and your instance.

For more information about adding a public IP and authorized external networks to your instance, see Connect using public IP.

AlloyDB also supports outbound connections to your instance. You can enable outbound public IP for migrating a database into AlloyDB directly from an external source using Database Migration Service or self-managed pglogical setups. AlloyDB also supports connecting to an external data source using foreign data wrappers, such as postgres_fdw or oracle_fdw.

For more information about enabling outbound public IP, see Add outbound connectivity to an instance.

Authorization

You can control access to an AlloyDB cluster by using AlloyDB Language Connectors, AlloyDB Auth Proxy, or with VPC firewall rules.

AlloyDB Language Connectors

AlloyDB Language Connectors are client libraries that provide automated mTLS using TLS 1.3 and IAM authorization when connecting to a AlloyDB cluster.

You can use these libraries directly from their respective programming languages. They provide the same capabilities as the AlloyDB Proxy without requiring an external process. This provides improved security and reduced configuration requirements to connect to AlloyDB.

For more information, see AlloyDB Language Connectors overview.

Control access with IAM and the AlloyDB Auth Proxy

Although you can connect directly to an instance through its IP address, we recommend using the AlloyDB Auth Proxy in production environments. It provides IAM-based access control and end-to-end encryption between the proxy and your cluster.

For more information, see About the AlloyDB Auth Proxy.

Limit VPC access with firewall rules

As with any cloud-based project, you should tune your VPC's firewall rules to restrict network access only to the IP ranges or subnetworks that your applications connect from. This is especially important with external applications, as detailed in Connect to a cluster from outside its VPC.

For more information about configuring your VPC's firewall, see VPC firewall rules.

Authentication

AlloyDB supports two kinds of database users, each of which has its own way of authenticating with your databases:

  • Standard PostgreSQL user roles authenticate using a username and password. You manage these accounts using ordinary PostgreSQL user-management techniques. For more information, see Manage AlloyDB user roles.

  • IAM user and service accounts authenticate as database users using OAuth 2.0 tokens. You manage these accounts using the Google Cloud IAM system. For more information, see Manage IAM authentication.

Once authenticated with an AlloyDB instance, an application can treat the instance like an ordinary PostgreSQL server. After establishing networking and authorization routes to an instance, you can use standard PostgreSQL techniques to log in to an instance and access your data. This holds true whether manually logging in with a tool like psql, or connecting to your database programmatically using a PostgreSQL code library.

Typically, your first authentication with a new an AlloyDB cluster involves logging in to its primary instance as its postgres user, using the password that you specify when creating the cluster. From there, you should create database users without administrative privileges for your application's use.

What's next