Configure network connectivity to Cloud SQL for SQL Server sources

This page describes how to configure network connectivity to Cloud SQL for SQL Server sources for heterogeneous SQL Server to AlloyDB for PostgreSQL migrations with Database Migration Service.

There are several methods you can use to configure the necessary network connectivity for migrations from Cloud SQL for SQL Server sources:

Public IP allowlist
Private IP connectivity with Private Service Connect interfaces

For Cloud SQL sources, it is possible to configure connectivity over a forward-SSH tunnel, but we don't recommend this method. If you want to use a connection over private networks, use the Private IP connectivity with Private Service Connect interfaces method. To learn more about source database network connectivity, see Source networking methods overview.

Configure IP allowlist connectivity

To configure IP allowlist connectivity for Cloud SQL for SQL Server sources, follow these steps:

Enable public IP for your source Cloud SQL for SQL Server instance and add Database Migration Service public IP ranges to the list of authorized networks. Make sure authorize Database Migration Service public IP addresses for the region where you use Database Migration Service.

For more information, see the following pages:
- Enable public IP in the Cloud SQL documentation.
- List of Database Migration Service public IP addresses.
At a later stage, when you create the source connection profile, do the following:
1. In the Define connection details section, enter your Cloud SQL instance public IP.
2. In the Define connectivity method section, select IP allowlist.

Configure connectivity over a forward-SSH tunnel

Forward-SSH tunnels work well if you want to create a connection that is more secure than a public IP connection, but your source private IP can't be reached directly from the Google Cloud network to create a Virtual Private Cloud peering connection. Cloud SQL for SQL Server sources reside within Google Cloud networks, so if you want to use a private connection, we recommend that you configure private connectivity for your source instead.

If you can't use Virtual Private Cloud peering, consider using the IP allowlist connectivity method. We don't recommend forward-SSH tunnels for Cloud SQL for SQL Server source connectivity. Adding an SSH server to your architecture can increase the complexity of your migration configuration, but in the case of Cloud SQL for SQL Server sources it doesn't increase security. You still need to expose the SSH server to the internet, but can't secure it with the authorized networks feature like you can if you set up Cloud SQL for SQL Server for public IP connectivity.

Configure private connectivity with Private Service Connect interfaces

This connectivity method lets you connect to the private IP of your source database without consuming VPC peering quota. Private Service Connect interfaces are the recommended method for private IP connectivity.

To use Private Service Connect interface connectivity, do the following:

Ensure your source Cloud SQL instance has a private IP enabled.

When you enable a private IP for a Cloud SQL instance, you select a VPC network to peer with. Make sure you choose the network where you later intend to create the network attachment. You can't later disable private IP for the Cloud SQL instance. For more information, see Enable private IP for Cloud SQL instances.
Create a network attachment in the VPC where your source resides. Follow these steps:
1. In the Google Cloud console, go to the Network attachments page.
  Go to Network attachments
2. Click Create network attachment.
3. Enter a name for the attachment.
4. From the Network menu, select the VPC where your source resides.
5. For the region, use the same region where you plan to create the destination database.
  
  Database Migration Service is a fully-regional product, meaning all entities related to your migration (source and destination connection profiles, migration jobs, destination databases, conversion workspaces) must be saved in a single region.
6. From the Subnetwork menu, select a subnet where you have at least 6 free usable IP addresses for Database Migration Service (that is, a /29 range).
7. In Connection preference select Accept connections for selected projects.
  
  Database Migration Service automatically adds the producer project to the Accepted projects list when you later create the private connectivity configuration.
  
  Caution: The Automatically accept connections for all projects option is less secure because it allows any service to obtain IP addresses from your subnet. We don't recommend using this option.
8. Don't add Accepted projects or Rejected projects.
9. Click Create network attachment.
In Database Migration Service, create a private connectivity configuration for Private Service Connect interfaces.
At a later stage, when you create the source connection profile, do the following:
1. In the Define connection details section, enter the private IP of your source Cloud SQL instance.
  You can view your instance's private IP address when you view instance summary information.
2. In the Define connectivity method section, select Private connectivity.
3. From the drop-down menu, select the private connectivity configuration you created in the previous step.

Configure private connectivity with VPC peering

Private connectivity with Cloud SQL for SQL Server sources for heterogeneous migrations uses Virtual Private Cloud (VPC) peering to create a connection between Database Migration Service and your source database over VPC networks in Google Cloud. Transitive peering isn't supported, so for this connectivity method to work, you need to set up a reverse proxy Virtual Machine (VM) in your Virtual Private Cloud network.

To use private connectivity with VPC peering, follow these steps:

In your project, ensure you have a Virtual Private Cloud network with Virtual Private Cloud network with private services access enabled.

This is the network that you peer with Database Migration Service and your source database server. You need to have enough space to allocate IP ranges for both components.
Ensure your source Cloud SQL for SQL Server instance has a private IP enabled.

When you enable a private IP for a Cloud SQL for SQL Server instance, you select a VPC network to peer with. Make sure you choose the network where you later intend to create the Database Migration Service private connectivity configuration. You can't later disable private IP for the Cloud SQL instance. For more information, see Enable private IP for Cloud SQL instances.
In your Virtual Private Cloud network, create and configure a reverse proxy VM. For more information, see Establish private connectivity using proxies.
In Database Migration Service, create a private connectivity configuration to peer with the VPC network where your Cloud SQL has the private IP assigned.
At a later stage, when you create the source connection profile, do the following:
1. In the Define connection details section, enter the private IP of your source Cloud SQL for SQL Server instance.
  You can view your instance's private IP address when you view instance summary information.
2. In the Define connectivity method section, select Private connectivity.
3. From the drop-down menu, select the private connectivity configuration you created in the previous step.

What's next

Learn about source connection profiles. See Create a source connection profile.
To get a complete, step-by-step migration walkthrough, see SQL Server to AlloyDB for PostgreSQL migration guide.