Configure connectivity using IP allowlists

Public IP connectivity is most appropriate when the source database is external to Google Cloud and has an externally accessible IPv4 address and TCP port. If the source database is hosted in another VPC in Google Cloud, then the easiest way to connect the source database with the Cloud SQL instance is by using VPC Peering.

If your source database is external to Google Cloud, add the destination's outgoing IP address (and port 5432) as an inbound firewall rule on the source network. In generic terms (your specific network settings may differ), do the following:

  1. Open the source database machine's network firewall rules.

  2. Create a new inbound rule.

  3. Set the Rule type to PostgreSQL.

  4. Set the Protocol to TCP.

  5. Set the Port range to 5432.

  6. Set the Source IP address to the destination outgoing IP address. For example: (The /32 designation in CIDR notation limits the address range to one address only, the one provided. It is setting the subnet mask to

    You can use the SQL Instances page in the Google Cloud Console to locate the outgoing IP address.

    Update the pg_hba.conf file or AWS RDS security groups to accept connections from this IP address.

  7. Save the new firewall rule and exit.

It's also highly recommended to use SSL/TLS during the definition of the source connection profile so that the data sent to and received by the source is secure.

Learn more about SSL/TLS certificates for PostgreSQL.