Public IP connectivity is most appropriate when the source database is external to Google Cloud
and has an externally accessible IPv4 address and TCP port. If the source
database is hosted in another VPC in Google Cloud, then the easiest way to
connect the source database with the Cloud SQL instance is by using VPC Peering.
If your source database is external to Google Cloud, then add the destination database's outgoing
IP address (and port 5432) as an inbound firewall rule on the source network. In
generic terms (your specific network settings may differ), do the following:
Open the source database machine's network firewall rules.
Create an inbound rule.
Set the Rule type to PostgreSQL to AlloyDB.
Set the Protocol to TCP.
Set the Port range to 5432.
Set the Source IP address to the destination database's outgoing IP address. For example:
12.20.36.126/32. (The /32 designation in CIDR notation limits the
address range to one address only, the one provided. It's setting the subnet
mask to 255.255.255.255). If the Cloud SQL instance you created
is a high availability instance, include the outgoing IP addresses for both
the primary and the secondary instance.
Update the pg_hba.conf file or AWS RDS security groups to accept connections from this IP address.
Save the firewall rule and exit.
It's also highly recommended to use SSL/TLS during the definition of the source
connection profile so that the data sent to and received by the source is
secure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003ePublic IP connectivity is recommended when the source database is outside of Google Cloud and has a publicly accessible IPv4 address and TCP port.\u003c/p\u003e\n"],["\u003cp\u003eFor source databases external to Google Cloud, the destination database's outgoing IP address should be added as an inbound firewall rule on the source network, allowing TCP traffic on port 5432.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003epg_hba.conf\u003c/code\u003e file or AWS RDS security groups should be updated to accept connections from the destination database's outgoing IP address.\u003c/p\u003e\n"],["\u003cp\u003eIt is highly recommended to use SSL/TLS to secure the data sent to and received by the source during the source connection profile definition.\u003c/p\u003e\n"]]],[],null,["# Configure connectivity using IP allowlists\n\n\u003cbr /\u003e\n\n[MySQL](/database-migration/docs/mysql/configure-connectivity-ip-allowlists \"View this page for the MySQL version of Database Migration Service.\") \\| [PostgreSQL](/database-migration/docs/postgres/configure-connectivity-ip-allowlists \"View this page for the PostgreSQL version of Database Migration Service.\") \\| PostgreSQL to AlloyDB\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nOverview\n--------\n\nPublic IP connectivity is most appropriate when the source database is external to Google Cloud\nand has an externally accessible IPv4 address and TCP port. If the source\ndatabase is hosted in another VPC in Google Cloud, then the easiest way to\nconnect the source database with the Cloud SQL instance is by using VPC Peering.\n\nIf your source database is external to Google Cloud, then add the destination database's **outgoing\nIP address** (and port 5432) as an inbound firewall rule on the source network. In\ngeneric terms (your specific network settings may differ), do the following:\n\n1. Open the source database machine's network firewall rules.\n\n2. Create an inbound rule.\n\n3. Set the Rule type to `PostgreSQL to AlloyDB`.\n\n4. Set the Protocol to `TCP`.\n\n5. Set the Port range to 5432.\n\n6. Set the Source IP address to the destination database's **outgoing IP address** . For example:\n `12.20.36.126/32`. (The /32 designation in CIDR notation limits the\n address range to one address only, the one provided. It's setting the subnet\n mask to `255.255.255.255`). If the Cloud SQL instance you created\n is a high availability instance, include the outgoing IP addresses for both\n the primary and the secondary instance.\n\n \u003cbr /\u003e\n\n\n Update the `pg_hba.conf` file or AWS RDS security groups to accept connections from this IP address.\n7. Save the firewall rule and exit.\n\n| You can test connectivity by adding another, temporary inbound firewall rule using the IP address of your local machine (or `0.0.0.0/0` to allow access from anywhere), and then running the following telnet command: `telnet [SOURCE_DB_IP_ADDRESS] 5432`. The connection should succeed. Delete the temporary firewall rule.\n\nIt's also highly recommended to use SSL/TLS during the definition of the source\nconnection profile so that the data sent to and received by the source is\nsecure."]]
