Configure SSL enforcement mode on AlloyDB instances

This page shows how to configure the SSL enforcement mode on AlloyDB for PostgreSQL instances.

By default, an AlloyDB instance accepts only connections using SSL.

AlloyDB uses SSL to establish secure, authenticated, and encrypted connections to AlloyDB instances. In addition, a configurable SSL enforcement mode ensures that all database connections to an instance use SSL encryption.

This topic covers how to configure the SSL enforcement mode on an existing instance. For information about how to configure the SSL enforcement mode when you create an instance, see create a primary instance.

Before you begin

  • The Google Cloud project you are using must have been enabled to access AlloyDB.
  • You must have one of these IAM roles in the Google Cloud project you are using:
    • roles/alloydb.admin (the AlloyDB Admin predefined IAM role)
    • roles/owner (the Owner basic IAM role)
    • roles/editor (the Editor basic IAM role)

    If you don't have any of these roles, contact your Organization Administrator to request access.

Configure the SSL enforcement mode on an instance

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Console

  1. Go to the Clusters page.

    Go to Clusters

  2. Click a cluster in the Resource name column.
  3. In the Overview page, go to the Instances in your cluster section, and click Edit primary.
  4. In the Edit primary instance pane, expand Advanced configuration options.
  5. Enable Only allow SSL connections. By default, this option is enabled.
  6. Click Update instance.

gcloud

Use the gcloud alloydb instances update command with the --ssl-mode=ENCRYPTED_ONLY argument to allow only encrypted database connections to an AlloyDB instance.

gcloud alloydb instances update INSTANCE_ID \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --ssl-mode=ENCRYPTED_ONLY

Replace the following:

  • INSTANCE_ID: The ID of the instance that you are updating.
  • REGION_ID: The region where the instance is placed.
  • CLUSTER_ID: The ID of the cluster where the instance is placed.
  • PROJECT_ID: The ID of the project where the cluster is placed.

To allow unencrypted database connections to an instance, use the gcloud alloydb instances update command with the --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED argument.

gcloud alloydb instances update INSTANCE_ID \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED

If the command returns an error message that includes the phrase invalid cluster state MAINTENANCE, then the cluster is undergoing routine maintenance. This temporarily disallows instance reconfiguration. Run the command again after the cluster returns to a READY state. To check the cluster's status, see View cluster details.