Overview
All connection profiles are available for review and modification on the Connection profiles page, and can be reused across migration jobs.
Creating a source or destination connection profile on its own is useful if the person who has access information to the source or destination isn't the same person who creates the migration job. You can also reuse a source or destination connection profile definition in multiple migration jobs.
To see which source and destination databases Database Migration Service supports, see Supported source and destination databases.
In this page, you learn how to create connection profiles to:
- A source Oracle database
- A destination Cloud SQL for PostgreSQL database
Create an Oracle connection profile
Go to the Connection profiles page in the Google Cloud Console.
Click CREATE PROFILE.
On the Create a connection profile page, from the Profile role list, select Source.
From the Database engine list, select Oracle (because you want to create a connection profile for an Oracle database).
Use the following table to populate the fields of the Define connection settings section of the Create a connection profile page:
Field Description Connection profile name Enter the display name of the connection profile to the source Oracle database. This is used in the connection profile list as well as when an existing connection profile is selected in the creation of a migration job or conversion workspace. Connection profile ID Database Migration Service populates this field automatically based on the connection profile name that you enter. You can keep the ID that's auto-generated or change it. Region Select the region where the connection profile is stored. Connection profiles, like all resources, are saved in a region, and a migration job or conversion workspace can use only connection profiles that are stored in the same region. Region selection doesn't impact whether Database Migration Service can connect to the source, but can impact connectivity to the destination and availability if the region experiences downtime. This choice is permanent and can't be changed. Hostname or IP Enter a hostname or IP address that Database Migration Service can use to connect to the source Oracle database.
If the source database is hosted in Google Cloud, a forward SSH tunnel is used to connect the destination database to the source database, or Database Migration Service will communicate with the source database over a private network through a Virtual Private Cloud (VPC) peering connection, then specify the private (internal) IP address for the source database.
For other connectivity methods, such as IP allowlisting, provide the public IP address.
Port Enter the port number that's reserved for the source database (The default port is typically 1521.). Username Enter the username of the account for the source database (for example, ROOT
). This is the Database Migration Service user that you created for the database.For more information about creating this user, see Configure your source Oracle database.
Password Enter the password of the account for the source database.
Service name Enter the service that ensures that the source Oracle database is protected and monitored. For Oracle databases, the database service is typically ORCL. For pluggable databases, SID is the pluggable database name. In the Define connection settings section, click CONTINUE. The Secure your connection section is active.
Optional: If the connection is made over a public network (by using IP allowlists), then we recommend using SSL/TLS encryption for the connection to your source database.
There are two options for the SSL/TLS configuration that you can select from the Secure your connection section of the page:
- None: The connection to Oracle source database is unencrypted. Not recommended for connections over the public internet.
Server-only authentication: Database Migration Service connects to the source database over SSL and authenticates it, ensuring that it is connecting to the correct host. This prevents person-in-the-middle attacks.
To use server-only authentication, you must provide the x509 PEM-encoded certificate of the certificate authority (CA) that signed your Oracle server's certificate. If you're having trouble uploading the key, then select the Enter manually option, and copy and paste the key into the text area.
In the Secure your connection section, click CONTINUE. The Define connectivity method section is active.
From the Connectivity method drop-down menu, select a network connectivity method. This method defines how Database Migration Service will connect to the source database. Current network connectivity methods include:
- IP allowlisting: This method works by configuring the source database server to accept connections from Database Migration Service. If you select this network connectivity method, then configure your source database to allow incoming connections from the Database Migration Service public IP addresses for the region that you specified for the connection profile.
- Forward-SSH tunnel: This method establishes secure, encrypted connectivity between Database Migration Service and the source database, using an SSH tunnel to either a tunnel server or to the database server. If you select this network connectivity method, then:
- Enter the hostname or IP address, and port of the tunnel host server.
- Enter the username of the account for the tunnel host server.
- Select the authentication method for the SSH tunnel. If you select Password as the method, then enter the password of the account for the bastion host VM. If you select Private/Public key pair as the method, then provide a private key.
- Configure your tunnel host to allow incoming connections from the Database Migration Service public IP addresses for the region that you specified for the connection profile.
- Private connection: This method establishes secure connectivity to any virtual private cloud (VPC) by using a special private connectivity bridge that's managed by Database Migration Service.
To use this connectivity method, you first need to create a private connectivity configuration.
- If you have an existing private connectivity configuration, select it from the list of configurations.
- If you don't have an existing private connectivity configuration, first create it and then return to this process. See Create a private connectivity configuration.
Click RUN TEST to verify that Database Migration Service can communicate with the source.
If the test fails, then it indicates which part of the process had an issue. Necessary changes can be made and then re-tested on the Create a connection profile page.
Navigate to the part of the flow in question to correct the issue, and then retest.
Click CREATE.
Create a Cloud SQL for PostgreSQL connection profile
Go to the Connection profiles page in the Google Cloud Console.
Click CREATE PROFILE.
On the Create a connection profile page, from the Profile role list, select Destination.
From the Database engine list, select Cloud SQL for PostgreSQL.
Use the following table to populate the fields of the Define connection settings section of the Create a connection profile page:
Field Description Connection profile name Enter the display name of the connection profile to the destination Cloud SQL for PostgreSQL database. This is used in the connection profile list as well as when an existing connection profile is selected in the creation of a migration job or conversion workspace. Connection profile ID Database Migration Service populates this field automatically based on the connection profile name that you enter. You can keep the ID that's auto-generated or change it. Region Select the region where the connection profile is stored. Connection profiles, like all resources, are saved in a region, and a migration job or conversion workspace can use only connection profiles that are stored in the same region. Region selection doesn't impact whether Database Migration Service can connect to the source, but can impact connectivity to the destination and availability if the region experiences downtime. This choice is permanent and can't be changed. Cloud SQL instance Select the Cloud SQL instance that you want to migrate. Hostname or IP Enter a hostname or IP address that Database Migration Service can use to connect to the Cloud SQL for PostgreSQL database.
Port Enter the port number that's reserved for the database (The default port is typically 5432.). Username Enter the username of the account for the source database (for example, postgres
). This is the Database Migration Service user that you created for the database.For more information about creating this user, see Configure your destination Cloud SQL for PostgreSQL database.
Password Enter the password of the account for the database.
In the Define connection settings section, click CONTINUE. The Secure your connection section is active.
Optional: If the connection is made over a public network (by using IP allowlists), then we recommend using SSL/TLS encryption for the connection to your destination database.
There are three options for the SSL/TLS configuration that you can select from the Secure your connection section of the page:
- None: The connection to the Cloud SQL for PostgreSQL destination database is unencrypted.
Server-only authentication: Database Migration Service connects to the destination database over SSL and authenticates it, ensuring that it is connecting to the correct host. This prevents person-in-the-middle attacks.
To use server-only authentication, you must provide Database Migration Service with the x509 PEM-encoded certificate of the certificate authority (CA) that signed the destination database certificate. For more information about creating certificates and keys for your Cloud SQL for PostgreSQL destination, see Secure TCP/IP Connections with SSL
Server-client authentication: Database Migration Service connects to the destination instance, and the destination instance authenticates Database Migration Service to ensure that the connection comes from a trusted client. Then, Database Migration Service authenticates the destination instance, ensuring that it is connecting to the correct host.
Server-client authentication provides the strongest security. However, if you don't want to provide the client certificate and private key when you create the Cloud SQL for PostgreSQL destination instance, you can still use server-only authentication.
To use server-client authentication, you must provide the following items when you create the source connection profile:
- The certificate of the CA that signed the source database server's certificate (the CA certificate).
- The certificate used by the instance to authenticate against the source database server (the client certificate).
- The private key associated with the client certificate (the client key).
In the Secure your connection section, click CONTINUE. The Define connectivity method section is active.
From the Connectivity method drop-down menu, select a network connectivity method. This method defines how Database Migration Service will connect to the database. Current network connectivity methods include:
Not defined: Select this method to use this connection profile to migrate data to a different Cloud SQL for PostgreSQL instance.
Public IP: Select this method to use this connection profile to migrate data from a different source database type, such as Oracle. This method works if you configured your destination Cloud SQL for PostgreSQL instance to accept connections over a public IP address. For more information on enabling connections over a public IP address, see Configure public IP.
Private IP: Select this method to use this connection profile to migrate your Oracle workloads using the private IP address of the destination Cloud SQL instance. If you select this option, also select your service attachment from the Service attachment name list. You can use this connectivity method for:
PSC-enabled Cloud SQL instances
PSA Cloud SQL instances (i.e. instances that aren't enabled for Private Service Connect, but have their own PSC producer setup for Database Migration Service)
For more information on Private Service Connect Database Migration Service, see Configure Private Service Connect for a destination instance.
Click RUN TEST to verify that Database Migration Service can communicate with the destination database.
If the test fails, then it indicates which part of the process had an issue. Necessary changes can be made and then re-tested on the Create a connection profile page.
Navigate to the part of the flow in question to correct the issue, and then retest.
Click CREATE.