The connection details you need to provide can differ depending on what source connectivity you use. This page describes how to create source connection profiles for each available connectivity method:
- Source connection profile for public IP allowlist connectivity 
- Source connection profile for forward-SSH tunnel connectivity 
- Source connection profile for private IP connectivity with VPC peering 
Before you create a source connection profile, make sure you do the following:
- Consider in which region you want to create the source connection profile. - Database Migration Service is a fully-regional product, meaning all entities related to your migration (source and destination connection profiles, migration jobs, destination databases, conversion workspaces) must be saved in a single region. 
- Configure your source database and create a dedicated migration user account. 
Required roles
To get the permissions that you need to create a connection profile,
ask your administrator to grant you the
Database Migration Admin (roles/datamigration.admin)
IAM role on your project.
For more information about granting roles, see Manage access in the Identity and Access Management documentation.
This predefined role contains the permissions required to to create a connection profile, in Database Migration Service. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to create a connection profile in Database Migration Service:
- datamigration.connectionprofiles.create
- datamigration.connectionprofiles.delete
- datamigration.connectionprofiles.get
- datamigration.connectionprofiles.getIamPolicy
- datamigration.connectionprofiles.list
- datamigration.connectionprofiles.setIamPolicy
- datamigration.connectionprofiles.update
You might also be able to get these permissions with custom roles or other predefined roles.
For public IP allowlist connectivity
To create a source connection profile that uses the public IP allowlist connectivity method, follow these steps:
- Make sure you configure your source database server to accept connections from Database Migration Service public IP addresses for the region where you create the migration job. For more information, see Public IP allowlist overview.
- In the Google Cloud console, go to the Connection profiles page.
- Click Create profile.
- On the Create a connection profile page, from the Profile role list, select Source.
- From the Database engine list, select your SQL Server source.
- In the Specify connection profile details section, provide the connection profile name, id, and region.
- In the Define connection configurations, in the
    SQL Server to PostgreSQL card, click Define.
    The connectivity details panel opens. 
- In the Define connection details section, enter your source database public IP and port number, the name of the database you want to migrate, and login details for the dedicated migration user account (name and password).
- In the Secure your connection section, choose the encryption
    type you want to use for the source database connection.
    You can use your own SSL/TLS certificates for additional network security. For more information, see Encrypt connections with certificates. 
- In the Define connectivity method section, select Public IP allowlist.
- Click Save.
    The connectivity details panel closes. 
- Optional: In the Test connection profile section, click
    Run test.
    Database Migration Service performs a quick check to verify that the connection details you supplied are sufficient to reach your source database. 
- Click Create at the bottom of the page.
  The Connection profiles page appears, and the newly created connection profile is displayed. 
For forward-SSH tunnel connectivity
To create a source connection profile that uses the forward-SSH tunnel connectivity method, follow these steps:
- Make sure you set up the forward-SSH tunnel server and adjust all firewall rules in your network. For more information, see Forward-SSH tunnel connectivity overview.
- In the Google Cloud console, go to the Connection profiles page.
- Click Create profile.
- On the Create a connection profile page, from the Profile role list, select Source.
- From the Database engine list, select your SQL Server source.
- In the Specify connection profile details section, provide the connection profile name, id, and region.
- In the Define connection configurations, in the
    SQL Server to PostgreSQL card, click Define.
    The connectivity details panel opens. 
-  In the Define connection details section, enter your source
    database IP and port number, the name of the database you want to migrate,
    and login details for the dedicated migration user account (name and password).
    The IP address should be an address that is reachable from the forward-SSH tunnel. 
- In the Secure your connection section, choose the encryption
    type you want to use for the source database connection.
    You can use your own SSL/TLS certificates for additional network security. For more information, see Encrypt connections with certificates. 
- In the Define connectivity method section, do the following:
    - From the Connectivity method drop-down menu, select Forward-SSH tunnel.
- In the next sections, enter the connection details for the SSH server: IP address or hostname, port number, and login.
- From the Authentication method drop-down menu, select
        how you want Database Migration Service to authenticate with your SSH server.
        You can use a password, or a unique private key. If you decide to use a private key, you can upload the file directly to Database Migration Service, or paste the key in text form in the text box. 
 
- Click Save.
    The connectivity details panel closes. 
- Optional: In the Test connection profile section, click
    Run test.
    Database Migration Service performs a quick check to verify that the connection details you supplied are sufficient to reach your source database. 
- Click Create at the bottom of the page.
  The Connection profiles page appears, and the newly created connection profile is displayed. 
For private connectivity with Virtual Private Cloud peering
To create a source connection profile that uses the private IP connectivity with Virtual Private Cloud peering, follow these steps:
- Make sure you configure your network for private IP connectivity. For more information, see Source private connectivity overview.
- In the Google Cloud console, go to the Connection profiles page.
- Click Create profile.
- On the Create a connection profile page, from the Profile role list, select Source.
- From the Database engine list, select your SQL Server source.
- In the Specify connection profile details section, provide the connection profile name, id, and region.
- In the Define connection configurations, in the
    SQL Server to PostgreSQL card, click Define.
    The connectivity details panel opens. 
-  In the Define connection details section, enter your source
    database IP and port number, the name of the database you want to migrate,
    and login details for the dedicated migration user account (name and password).
    Use the IP address that is appropriate for your networking setup: - For sources that reside directly in the Virtual Private Cloud network that you use with the Database Migration Service private connectivity configuration, use the private IP address of your source.
- For sources that reside reside outside the Virtual Private Cloud network that you use with the Database Migration Service private connectivity configuration, for example scenarios that include a reverse proxy Virtual Machine (VM), use the private IP address of your NAT VM.
 
- In the Secure your connection section, choose the encryption
    type you want to use for the source database connection.
    You can use your own SSL/TLS certificates for additional network security. For more information, see Encrypt connections with certificates. 
- In the Define connectivity method section, do the following:
    - From the Connectivity method drop-down menu, select Private connectivity (VPC peering).
- From the Private connectivity configuration drop-down menu, select the name of the private connectivity configuration you created to peer with your Virtual Private Cloud.
 
- Click Save.
    The connectivity details panel closes. 
- Optional: In the Test connection profile section, click
    Run test.
    Database Migration Service performs a quick check to verify that the connection details you supplied are sufficient to reach your source database. 
- Click Create at the bottom of the page.
  The Connection profiles page appears, and the newly created connection profile is displayed. 
What's next
- Learn about destination connection profiles. See Create destination connection profile. 
- To get a complete, step-by-step migration walkthrough, see SQL Server to AlloyDB for PostgreSQL migration guide.