Configure network connectivity to Cloud SQL for SQL Server sources
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure network connectivity to Cloud SQL for SQL Server
sources for heterogeneous SQL Server to AlloyDB for PostgreSQL
migrations with Database Migration Service.
There are two different methods you can use to configure the necessary
network connectivity for migrations from Cloud SQL for SQL Server sources:
For Cloud SQL for SQL Server sources, it is possible to configure connectivity over
a forward-SSH tunnel, but we don't recommend this method. If you want to
use a connection over private networks, use the
Private IP connectivity with Virtual Private Cloud peering method.
To learn more about source database network connectivity, see
Source networking methods overview.
Configure IP allowlist connectivity
To configure IP allowlist connectivity for Cloud SQL for SQL Server sources,
follow these steps:
Enable public IP for your source Cloud SQL for SQL Server instance and add
Database Migration Service public IP ranges to the list of authorized networks.
Make sure authorize Database Migration Service public IP addresses for the
region where you use Database Migration Service.
In the Define connection details section, enter your
Cloud SQL instance public IP.
In the Define connectivity method section,
select IP allowlist.
Configure connectivity over a forward-SSH tunnel
Forward-SSH tunnels work well if you want to create a connection
that is more secure than a public IP connection, but your source private IP
can't be reached directly from the Google Cloud network to create
a Virtual Private Cloud peering connection. Cloud SQL for SQL Server sources reside within
Google Cloud networks, so if you want to use a private connection, we recommend
that you
configure private connectivity for your source instead.
If you can't use Virtual Private Cloud peering, consider using the
IP allowlist connectivity method.
We don't recommend forward-SSH tunnels for Cloud SQL for SQL Server source
connectivity. Adding an SSH server to your architecture
can increase the complexity of your migration configuration, but in the case
of Cloud SQL for SQL Server sources it doesn't increase security. You still need to expose
the SSH server to the internet, but can't secure it with the
authorized networks feature
like you can if you set up Cloud SQL for SQL Server for public IP connectivity.
Configure private connectivity with VPC peering
Private connectivity with Cloud SQL for SQL Server sources for heterogeneous
migrations uses Virtual Private Cloud (VPC) peering to create a connection
between Database Migration Service and your source database over VPC networks
in Google Cloud. Transitive peering isn't supported, so for
this connectivity method to work, you need to set up a reverse proxy
Virtual Machine (VM) in your Virtual Private Cloud network.
To use private connectivity with VPC peering, follow these steps:
This is the network that you peer with Database Migration Service and your source
database server. You need to have enough space to allocate IP ranges
for both components.
Ensure your source Cloud SQL for SQL Server instance has a private IP enabled.
When you enable a private IP for a Cloud SQL for SQL Server instance, you select a VPC
network to peer with. Make sure you choose the network where you later
intend to create the Database Migration Service private connectivity configuration.
You can't later disable private IP for the Cloud SQL instance.
For more information, see
Enable private IP for Cloud SQL instances.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page provides guidance on configuring network connectivity for heterogeneous SQL Server to AlloyDB for PostgreSQL migrations using Database Migration Service, specifically for Cloud SQL for SQL Server sources.\u003c/p\u003e\n"],["\u003cp\u003eThe two recommended methods for configuring network connectivity for these migrations are using a public IP allowlist or employing private IP connectivity with Virtual Private Cloud (VPC) peering.\u003c/p\u003e\n"],["\u003cp\u003eFor Cloud SQL for SQL Server sources, configuring private connectivity with VPC peering is preferred over forward-SSH tunnels because it's a more secure approach that doesn't require exposing an SSH server to the internet.\u003c/p\u003e\n"],["\u003cp\u003eTo configure private connectivity with VPC peering, you must have a VPC network with private services access enabled, a source Cloud SQL for SQL Server instance with a private IP enabled, a reverse proxy VM, and a private connectivity configuration in Database Migration Service.\u003c/p\u003e\n"]]],[],null,["# Configure network connectivity to Cloud SQL for SQL Server sources\n\nThis page describes how to configure network connectivity to Cloud SQL for SQL Server\nsources for heterogeneous SQL Server to AlloyDB for PostgreSQL\nmigrations with Database Migration Service.\n\nThere are two different methods you can use to configure the necessary\nnetwork connectivity for migrations from Cloud SQL for SQL Server sources:\n\n- [Public IP allowlist](#ip-allowlist#)\n\n- [Private IP connectivity with Virtual Private Cloud peering](#private-vpc-peering)\n\nFor Cloud SQL for SQL Server sources, it is possible to configure connectivity over\na forward-SSH tunnel, but we don't recommend this method. If you want to\nuse a connection over private networks, use the\n*Private IP connectivity with Virtual Private Cloud peering* method.\nTo learn more about source database network connectivity, see\n[Source networking methods overview](/database-migration/docs/sqlserver-to-alloydb/networking-methods-source).\n\nConfigure IP allowlist connectivity\n-----------------------------------\n\nTo configure IP allowlist connectivity for Cloud SQL for SQL Server sources,\nfollow these steps:\n\n1. Enable public IP for your source Cloud SQL for SQL Server instance and add\n Database Migration Service public IP ranges to the list of authorized networks.\n Make sure authorize Database Migration Service public IP addresses for the\n region where you use Database Migration Service.\n\n For more information, see the following pages:\n - [Enable public IP](/sql/docs/sqlserver/configure-ip#add) in the Cloud SQL documentation.\n - [List of Database Migration Service public IP addresses](/database-migration/docs/sqlserver-to-alloydb/ip-allowlists-and-regions).\n2. At a later stage, when you [create the source connection profile](/database-migration/docs/sqlserver-to-alloydb/create-source-connection-profile), do the following:\n 1. In the **Define connection details** section, enter your Cloud SQL instance public IP.\n 2. In the **Define connectivity method** section, select **IP allowlist**.\n\nConfigure connectivity over a forward-SSH tunnel\n------------------------------------------------\n\nForward-SSH tunnels work well if you want to create a connection\nthat is more secure than a public IP connection, but your source private IP\ncan't be reached directly from the Google Cloud network to create\na Virtual Private Cloud peering connection. Cloud SQL for SQL Server sources reside within\nGoogle Cloud networks, so if you want to use a private connection, we recommend\nthat you [configure private connectivity](#private-vpc-peering) for your source instead.\n\nIf you can't use Virtual Private Cloud peering, consider using the\n[IP allowlist connectivity method](#ip-allowlist).\nWe don't recommend forward-SSH tunnels for Cloud SQL for SQL Server source\nconnectivity. Adding an SSH server to your architecture\ncan increase the complexity of your migration configuration, but in the case\nof Cloud SQL for SQL Server sources it doesn't increase security. You still need to expose\nthe SSH server to the internet, but can't secure it with the\n[authorized networks feature](/alloydb/docs/connect-public-ip#update-network)\nlike you can if you set up Cloud SQL for SQL Server for public IP connectivity.\n\nConfigure private connectivity with VPC peering\n-----------------------------------------------\n\nPrivate connectivity with Cloud SQL for SQL Server sources for heterogeneous\nmigrations uses Virtual Private Cloud (VPC) peering to create a connection\nbetween Database Migration Service and your source database over VPC networks\nin Google Cloud. Transitive peering isn't supported, so for\nthis connectivity method to work, you need to set up a reverse proxy\nVirtual Machine (VM) in your Virtual Private Cloud network.\n\nTo use private connectivity with VPC peering, follow these steps:\n\n1. In your project, ensure you have a Virtual Private Cloud network with\n [Virtual Private Cloud network with private services access enabled](/vpc/docs/configure-private-services-access).\n\n This is the network that you peer with Database Migration Service and your source\n database server. You need to have enough space to allocate IP ranges\n for both components.\n2. Ensure your source Cloud SQL for SQL Server instance has a private IP enabled.\n\n When you enable a private IP for a Cloud SQL for SQL Server instance, you select a VPC\n network to peer with. Make sure you choose the network where you later\n intend to create the Database Migration Service private connectivity configuration.\n You can't later disable private IP for the Cloud SQL instance.\n For more information, see\n [Enable private IP for Cloud SQL instances](/sql/docs/postgres/configure-private-ip).\n3. In your Virtual Private Cloud network, create and configure a reverse proxy VM. For more information, see [Establish private connectivity using proxies](/database-migration/docs/sqlserver-to-alloydb/configure-src-connection-reverse-proxy).\n4. In Database Migration Service, [create a private connectivity configuration](/database-migration/docs/sqlserver-to-alloydb/create-private-connectivity-configuration) to peer with the VPC network where your Cloud SQL has the private IP assigned.\n5. At a later stage, when you [create the source connection profile](/database-migration/docs/sqlserver-to-alloydb/create-source-connection-profile), do the following:\n 1. In the **Define connection details** section, enter the private IP of your source Cloud SQL for SQL Server instance.\n\n You can view your instance's **private IP address** when you\n [view instance summary information](/sql/docs/sqlserver/instance-info).\n\n\n 2. In the **Define connectivity method** section, select **Private connectivity (VPC peering)**.\n 3. From the drop-down menu, select the private connectivity configuration you created in the previous step.\n\nWhat's next\n-----------\n\n- Learn about source connection profiles. See\n [Create a source connection profile](/database-migration/docs/sqlserver-to-alloydb/create-source-connection-profile).\n\n- To get a complete, step-by-step migration walkthrough, see\n [SQL Server to AlloyDB for PostgreSQL migration guide](/database-migration/docs/sqlserver-to-alloydb/guide)."]]
