Configure network connectivity to Cloud SQL for SQL Server sources

This page describes how to configure network connectivity to Cloud SQL for SQL Server sources for heterogeneous SQL Server to AlloyDB for PostgreSQL migrations with Database Migration Service.

There are two different methods you can use to configure the necessary network connectivity for migrations from Cloud SQL for SQL Server sources:

• Public IP allowlist

• Private IP connectivity with Virtual Private Cloud peering

For Cloud SQL for SQL Server sources, it is possible to configure connectivity over a forward-SSH tunnel, but we don't recommend this method. If you want to use a connection over private networks, use the Private IP connectivity with Virtual Private Cloud peering method. To learn more about source database network connectivity, see Source networking methods overview.

Configure IP allowlist connectivity

To configure IP allowlist connectivity for Cloud SQL for SQL Server sources, follow these steps:

1. Enable public IP for your source Cloud SQL for SQL Server instance and add Database Migration Service public IP ranges to the list of authorized networks. Make sure authorize Database Migration Service public IP addresses for the region where you use Database Migration Service.

   For more information, see the following pages:

   • Enable public IP in the Cloud SQL documentation.
   • List of Database Migration Service public IP addresses.
2. At a later stage, when you create the source connection profile, do the following:
   1. In the Define connection details section, enter your Cloud SQL instance public IP.
   2. In the Define connectivity method section, select IP allowlist.

Configure connectivity over a forward-SSH tunnel

Forward-SSH tunnels work well if you want to create a connection that is more secure than a public IP connection, but your source private IP can't be reached directly from the Google Cloud network to create a Virtual Private Cloud peering connection. Cloud SQL for SQL Server sources reside within Google Cloud networks, so if you want to use a private connection, we recommend that you configure private connectivity for your source instead.

If you can't use Virtual Private Cloud peering, consider using the IP allowlist connectivity method. We don't recommend forward-SSH tunnels for Cloud SQL for SQL Server source connectivity. Adding an SSH server to your architecture can increase the complexity of your migration configuration, but in the case of Cloud SQL for SQL Server sources it doesn't increase security. You still need to expose the SSH server to the internet, but can't secure it with the authorized networks feature like you can if you set up Cloud SQL for SQL Server for public IP connectivity.

Configure private connectivity with VPC peering

Private connectivity with Cloud SQL for SQL Server sources for heterogeneous migrations uses Virtual Private Cloud (VPC) peering to create a connection between Database Migration Service and your source database over VPC networks in Google Cloud. Transitive peering isn't supported, so for this connectivity method to work, you need to set up a reverse proxy Virtual Machine (VM) in your Virtual Private Cloud network.

To use private connectivity with VPC peering, follow these steps:

1. In your project, ensure you have a Virtual Private Cloud network with Virtual Private Cloud network with private services access enabled.

   This is the network that you peer with Database Migration Service and your source database server. You need to have enough space to allocate IP ranges for both components.

2. Ensure your source Cloud SQL for SQL Server instance has a private IP enabled.

   When you enable a private IP for a Cloud SQL for SQL Server instance, you select a VPC network to peer with. Make sure you choose the network where you later intend to create the Database Migration Service private connectivity configuration. You can't later disable private IP for the Cloud SQL instance. For more information, see Enable private IP for Cloud SQL instances.

3. In your Virtual Private Cloud network, create and configure a reverse proxy VM. For more information, see Establish private connectivity using proxies.
4. In Database Migration Service, create a private connectivity configuration to peer with the VPC network where your Cloud SQL has the private IP assigned.
5. At a later stage, when you create the source connection profile, do the following:
   1. In the Define connection details section, enter the private IP of your source Cloud SQL for SQL Server instance.

      You can view your instance's private IP address when you view instance summary information.

   2. In the Define connectivity method section, select Private connectivity (VPC peering).
   3. From the drop-down menu, select the private connectivity configuration you created in the previous step.

What's next

• Learn about source connection profiles. See Create a source connection profile.

• To get a complete, step-by-step migration walkthrough, see SQL Server to AlloyDB for PostgreSQL migration guide.