Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to secure connections by enforcing applications to
connect to existing AlloyDB for PostgreSQL instances only through connectors. It also
provides steps to remove this enforcement on an instance. For information about
how to secure connections when you create an instance, see
Create the primary instance.
AlloyDB instances accept connections on two TCP ports:
Port 5432, the default PostgreSQL port that applications use to
connect directly to the instance.
Port 5433, which connectors, including AlloyDB Auth Proxy use to connect to the
instance.
In other words, applications connect to a chosen connector on the host and port
they run on, and then that connector communicates with your AlloyDB
instance on that instance's port 5433.
INSTANCE_ID: The ID of the instance that you are updating.
REGION_ID: The region where the instance is placed.
CLUSTER_ID: The ID of the cluster where the instance is placed.
PROJECT_ID: The ID of the project where the cluster is placed.
If the command returns an error message that includes the phrase
invalid cluster state MAINTENANCE, then the cluster is undergoing routine
maintenance. This temporarily disallows instance reconfiguration. Run the command
again after the cluster returns to a READY state. To check the cluster's
status, see View cluster details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide outlines the process of enforcing secure connections to AlloyDB for PostgreSQL instances by mandating the use of connectors.\u003c/p\u003e\n"],["\u003cp\u003eAlloyDB instances use port 5432 for direct connections and port 5433 for connector-mediated connections, where applications connect to the connector.\u003c/p\u003e\n"],["\u003cp\u003eConnector enforcement can be enabled on an existing instance through the Google Cloud Console or using the \u003ccode\u003egcloud\u003c/code\u003e CLI with the \u003ccode\u003e--require-connectors\u003c/code\u003e flag.\u003c/p\u003e\n"],["\u003cp\u003eConnector enforcement can be disabled on an instance via the Google Cloud Console or the \u003ccode\u003egcloud\u003c/code\u003e CLI by using the \u003ccode\u003e--no-require-connectors\u003c/code\u003e flag.\u003c/p\u003e\n"],["\u003cp\u003eConnector enforcement for the primary instance in a Private Service Connect cluster is supported only when no secondary instances are present.\u003c/p\u003e\n"]]],[],null,["# Control connector enforcement\n\nThis page describes how to secure connections by enforcing applications to\nconnect to existing AlloyDB for PostgreSQL instances only through connectors. It also\nprovides steps to remove this enforcement on an instance. For information about\nhow to secure connections when you create an instance, see\n[Create the primary instance](/alloydb/docs/instance-primary-create).\n| **Note:** For the primary instance in a Private Service Connect cluster, connector enforcement is only supported when there are no secondary instances.\n\nAlloyDB instances accept connections on two TCP ports:\n\n- Port 5432, the default PostgreSQL port that applications use to\n connect directly to the instance.\n\n- Port 5433, which connectors, including AlloyDB Auth Proxy use to connect to the\n instance.\n\nIn other words, applications connect to a chosen connector on the host and port\nthey run on, and then that connector communicates with your AlloyDB\ninstance on that instance's port 5433.\n\nEnforce connectors on an instance\n---------------------------------\n\n\nTo use the gcloud CLI, you can\n[install and initialize](/sdk/docs/install) the Google Cloud CLI, or you\ncan use [Cloud Shell](/shell/docs/using-cloud-shell).\n\n\u003cbr /\u003e\n\n### Console\n\n1. Go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n2. Click a cluster in the **Resource name** column.\n3. In the **Overview** page, go to the **Instances in your cluster** section, and click **Edit primary**.\n4. In the **Edit primary instance** pane, expand **Advanced configuration options**.\n5. Select **Require connectors**.\n6. Click **Update instance**.\n\n### gcloud\n\n\nTo use the gcloud CLI, you can\n[install and initialize](/sdk/docs/install) the Google Cloud CLI, or you\ncan use [Cloud Shell](/shell/docs/using-cloud-shell).\n\n\u003cbr /\u003e\n\nUse the [`gcloud alloydb instances update`](/sdk/gcloud/reference/alloydb/instances/update)\ncommand with the `--require-connectors` flag to enforce a secure connection\nin an AlloyDB instance. \n\n gcloud alloydb instances update \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --require-connectors\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e: The ID of the instance that you are updating.\n- \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e: The region where the instance is placed.\n- \u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e: The ID of the cluster where the instance is placed.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of the project where the cluster is placed.\n\nIf the command returns an error message that includes the phrase\n`invalid cluster state MAINTENANCE`, then the cluster is undergoing routine\nmaintenance. This temporarily disallows instance reconfiguration. Run the command\nagain after the cluster returns to a `READY` state. To check the cluster's\nstatus, see [View cluster details](/alloydb/docs/cluster-view).\n\nDisable connector enforcement on an instance\n--------------------------------------------\n\n### Console\n\n1. Go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n2. Click a cluster in the **Resource name** column.\n3. In the **Overview** page, go to the **Instances in your cluster** section, and click **Edit primary**.\n4. In the **Edit primary instance** pane, expand **Advanced configuration options**.\n5. Clear **Require connectors**.\n6. Click **Update instance**.\n\n### gcloud\n\nUse the [`gcloud alloydb instances update`](/sdk/gcloud/reference/alloydb/instances/update)\ncommand with the `--no-require-connectors` flag to disable connectors on an AlloyDB\ninstance. \n\n gcloud alloydb instances update \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --no-require-connectors\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e: The ID of the instance that you are updating.\n- \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e: The region where the instance is placed.\n- \u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e: The ID of the cluster where the instance is placed.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of the project where the cluster is placed.\n\nWhat's next\n-----------\n\n- [AlloyDB Auth Proxy overview](/alloydb/docs/auth-proxy/overview)."]]
