Create a source connection profile

Overview

You can create a connection profile on its own or in the context of creating a specific migration job. Either way, all connection profiles are available for review and modification on the Connection profiles page, and can be reused across migration jobs.

Creating a source connection profile on its own is useful if the person who has the source access information is not the same person who creates the migration job. You can also reuse a source connection profile definition in multiple migration jobs. If you use the same profile for multiple migrations, you need to update the max_replication_slots parameter in the source database to account for the number of replicas you're creating.

Create a new connection profile

  1. Go to the Connection profiles page in the Google Cloud Console.
  2. Click CREATE PROFILE.
  3. Supply the required information for a connection profile:
    1. Populate the Info to connect to your source section of the page.
      1. Select a Source database engine from the drop-down list.

      2. Enter a Connection profile name. This is used in the connection profile list as well as when an existing connection profile is selected in the creation of a migration job.
      3. Keep the auto-generated Connection profile ID.
      4. Enter a Hostname or IP address.
        • If the source database is hosted in Google Cloud or if a reverse SSH tunnel is used to connect the destination database to the source database, then specify the private (internal) IP address for the source database. For other connectivity methods, provide the public IP address.
      5. Enter the Port that's used to access the host. The default PostgreSQL port is 5432.
    2. Enter a username and password for the source database. The user must have these privileges.
    3. Optional: If the connection is made over a public network (by using IP allowlists), then we recommend using SSL/TLS encryption for the connection between the source and destination databases. There are three options for the SSL/TLS configuration:
      1. None: The Cloud SQL destination instance connects to the source database without encryption.
      2. Server-only authentication: When the Cloud SQL destination instance connects to the source database, the instance authenticates the source, ensuring that the instance is connecting to the correct host securely. This prevents person-in-the-middle attacks. For server-only authentication, the source doesn't authenticate the instance.

        To use server-only authentication, you must provide the x509 PEM-encoded certificate of the certificate authority (CA) that signed the external server's certificate.

      3. Server-client authentication: When the destination instance connects to the source, the instance authenticates the source and the source authenticates the instance.

        Server-client authentication provides the strongest security. However, if you don't want to provide the client certificate and private key when you create the Cloud SQL destination instance, you can still use server-only authentication.

        To use server-client authentication, you must provide the following items when you create the source connection profile:

        • The certificate of the CA that signed the source database server's certificate (the CA certificate).
        • The certificate used by the instance to authenticate against the source database server (the client certificate).
        • The private key associated with the client certificate (the client key).
  4. Click CREATE at the bottom of the page. The Connection profiles page appears, and the newly created connection profile is displayed.