Allow only Auth Proxy connections

By default, an AlloyDB for PostgreSQL instance accepts connections on two TCP ports:

  • Port 5432, the default PostgreSQL port that applications use to connect directly to the instance.

  • Port 5433, which the AlloyDB Auth Proxy uses to connect to the instance. In other words, applications connect to the Auth Proxy on whatever host and port it runs on, and then the Auth Proxy communicates with your AlloyDB instance on that instance's port 5433.

For increased security and access control, you can add a firewall rule that prohibits all connections to your instances through the default PostgreSQL port. This effectively requires all applications to connect only through the Auth Proxy, instead.

The technique described on this page lets you control connections originating from the virtual private cloud (VPC) that you peered your cluster with when you initially configured it. This includes network traffic coming from applications running within the VPC, or those connecting through an intermediary VM. It is not currently effective for traffic coming through Cloud Interconnect or Cloud VPN.

Add the firewall rule

To add this firewall rule, follow these steps:

Console

  1. In the Google Cloud console, go to the VPC Networks page.

    Go to VPC Networks

  2. Click the name of the VPC network that your AlloyDB cluster uses. The VPC network details page opens.

  3. Click the name of the subnet corresponding to the region your cluster is on. The Subnet details page opens.

  4. Take note of the numeric CIDR IP range labeled IP range on this page, such as 10.128.0.0/20. You need it for a subsequent step.

  5. Click the name of the VPC network. The VPC network details page opens.

  6. Click Firewalls.

  7. Click Add firewall rule. The Create a firewall rule page opens.

  8. Fill out the form. The key fields for this particular rule are these:

    • Set Network to the name of the VPC network your AlloyDB cluster uses.

    • For Direction of traffic, specify Egress.

    • For Action on match, specify Deny.

    • Under Protocols and ports, specify TCP port 5432. That's the PostgreSQL default port this rule disallows further connections from.

    • In the Source IPv4 ranges field, enter the CIDR range that you retrieved earlier.

  9. Click Create.

gcloud

  1. To retrieve the IP range that you need to create the firewall rule, use the gcloud computer networks subnets list command:

    gcloud compute networks subnets list \
--regions=REGION_ID \
--network=NETWORK \
--format="value(ipCidrRange)"

    Replace the following:

    • REGION_ID: The region that your cluster is in. For example, us-central1.

    • NETWORK: The name of the VPC network your cluster uses. For example, default.

    For more information on seeing the region and network details of a cluster, see View cluster details.

    The command should output a CIDR IP range, such as 10.128.0.0/20. Take note of this; you will need it for the next step.

  2. To create the firewall rule, use the gcloud compute firewall-rules create command:

    gcloud compute firewall-rules create deny-postgres \
--direction=EGRESS --priority=1000 --network=NETWORK \
--action=DENY --rules=tcp:5432 --destination-ranges=SUBNET

    Replace the following:

    • NETWORK: The name of the VPC network your cluster uses. For example, default.

    • SUBNET: The CIDR range that the previous step revealed.

The previous steps create a firewall rule that applies to an entire regional subnet within your VPC. If you wish to limit the rule's application to specific machines within your VPC, you can adjust the new rule by adding targets, as described in Targets for firewall rules.

What's next