You can create a connection profile on its own or in the context of creating a specific migration job. Either way, all connection profiles are available for review and modification on the Connection profiles page, and can be reused across migration jobs.
Creating a source connection profile on its own is useful if the person who has the source access information is not the same person who creates the migration job. You can also reuse a source connection profile definition in multiple migration jobs.
Create a connection profile
- Go to the Connection profiles page in the Google Cloud Console.
- Click CREATE PROFILE.
- Supply the required information for a connection profile:
- Populate the Info to connect to your source section of the page.
Select a Source database engine from the drop-down list.
- Enter a Connection profile name. This is used in the connection profile list as well as when an existing connection profile is selected in the creation of a migration job.
- Keep the auto-generated Connection profile ID.
- Enter a Hostname or IP address.
If the source database is hosted in Google Cloud or if a reverse SSH tunnel is used to connect the destination database to the source database, then specify the private (internal) IP address for the source database. This address will be accessible by the Cloud SQL destination. For more information, see Configure connectivity using VPC peering.
For other connectivity methods, such as IP allowlist, provide the public IP address.
- MySQL limits the hostname to 60 characters. Amazon RDS databases hostnames are typically longer than 60 characters. If this is the case for the database you're migrating, then configure a DNS redirect to create a CNAME record that associates your domain name with the domain name of your RDS DB instance. You can read more about setting up DNS CNAME in Google Cloud or in AWS Route53.
- Enter the Port that's used to access the host. The default MySQL default port is 3306.
In the Connection profile region section of the page, select the region where you want to save the connection profile.
Optional: If the connection is made over a public network (by using IP allowlists), then we recommend using SSL/TLS encryption for the connection between the source and destination databases.
There are three options for the SSL/TLS configuration that you can select from the Secure your connection section of the page:
- None: The Cloud SQL destination instance connects to the source database without encryption.
Server-only authentication: When the Cloud SQL destination instance connects to the source database, the instance authenticates the source, ensuring that the instance is connecting to the correct host securely. This prevents person-in-the-middle attacks. For server-only authentication, the source doesn't authenticate the instance.
To use server-only authentication, you must provide the x509 PEM-encoded certificate of the certificate authority (CA) that signed the external server's certificate.
Server-client authentication: When the destination instance connects to the source, the instance authenticates the source and the source authenticates the instance.
Server-client authentication provides the strongest security. However, if you don't want to provide the client certificate and private key when you create the Cloud SQL destination instance, you can still use server-only authentication.
To use server-client authentication, you must provide the following items when you create the source connection profile:
- The certificate of the CA that signed the source database server's certificate (the CA certificate).
- The certificate used by the instance to authenticate against the source database server (the client certificate).
- The private key associated with the client certificate (the client key).