Use SSL/TLS certificates to encrypt network connections
Stay organized with collections
Save and categorize content based on your preferences.
Every connection Database Migration Service makes to your source database
can be configured to use Secure Socket Layer/Transport Security Layer (SSL/TLS) encryption. This page
provides an overview of available SSL/TLS encryption variants and the steps
required to use them for your migration job.
SSL/TLS is mainly recommended for connections created over public
networks where you need to expose a public IP address and port for your database.
Regardless of which network connectivity method you use, your scenario might
require that you use additional encryption.
Destination database connections are always encrypted by Database Migration Service.
You don't need to configure additional certificates for those connections.
To understand how Database Migration Service uses SSL/TLS encryption, it's important to
remember that with regards to
network connectivity, Database Migration Service is considered the
client and your database (either source or destination database) is the
server. Database Migration Service supports the following encryption variants:
None
When Database Migration Service establishes a connection with your database,
it doesn't send any SSL configuration string. It doesn't present any client
certificates to the server, and it also doesn't verify any server certificates.
Basic
The request that Database Migration Service sends to your database contains
the declaration that the connection is established over a secured channel.
Database Migration Service doesn't present any client certificates to the server,
and it doesn't validate server certificates when they're presented by your
database.
This SSL/TLS variant is useful for Microsoft Azure SQL Managed Instance sources.
By default, Microsoft Azure SQL Managed Instance enforce SSL connections, but
you might not always be able to get access to the certificates that
are needed to use the TLS variant.
TLS
When Database Migration Service connects to your database, it declares that the
connection is established over a secured channel. Database Migration Service doesn't
present a client certificate to the server, but it does validate the server
certificate authority (CA) to make sure that it's connecting to the right host.
This prevents person-in-the-middle attacks.
To use TLS authentication, you must provide the x509 PEM-encoded
certificate of the certificate authority (CA) that signed your database
server certificate.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eDatabase Migration Service for heterogeneous SQL Server to AlloyDB for PostgreSQL migrations is currently a pre-GA feature, meaning it's available "as is" with potentially limited support.\u003c/p\u003e\n"],["\u003cp\u003eConnections made by Database Migration Service to your source database can utilize SSL/TLS encryption, mainly recommended for connections over public networks.\u003c/p\u003e\n"],["\u003cp\u003eDestination database connections are always encrypted by Database Migration Service automatically, requiring no extra certificate configuration.\u003c/p\u003e\n"],["\u003cp\u003eDatabase Migration Service acts as the client and your source or destination database is the server when it comes to network connectivity.\u003c/p\u003e\n"],["\u003cp\u003eDatabase Migration Service supports three SSL/TLS encryption variants: None, Basic, and TLS, each with different levels of security and certificate handling.\u003c/p\u003e\n"]]],[],null,["# Use SSL/TLS certificates to encrypt network connections\n\nEvery connection Database Migration Service makes to your source database\ncan be configured to use Secure Socket Layer/Transport Security Layer (SSL/TLS) encryption. This page\nprovides an overview of available SSL/TLS encryption variants and the steps\nrequired to use them for your migration job.\n\nSSL/TLS is mainly recommended for connections created over public\nnetworks where you need to expose a public IP address and port for your database.\nRegardless of which network connectivity method you use, your scenario might\nrequire that you use additional encryption.\n\nDestination database connections are always encrypted by Database Migration Service.\nYou don't need to configure additional certificates for those connections.\n\nTo understand how Database Migration Service uses SSL/TLS encryption, it's important to\nremember that with regards to\n[network connectivity](/database-migration/docs/sqlserver-to-alloydb/networking-overview), Database Migration Service is considered the\n**client** and your database (either source or destination database) is the\n**server**. Database Migration Service supports the following encryption variants:\n\nNone\n: When Database Migration Service establishes a connection with your database,\n it doesn't send any SSL configuration string. It doesn't present any client\n certificates to the server, and it also doesn't verify any server certificates.\n\nBasic\n\n: The request that Database Migration Service sends to your database contains\n the declaration that the connection is established over a secured channel.\n Database Migration Service doesn't present any client certificates to the server,\n and it doesn't validate server certificates when they're presented by your\n database.\n\n This SSL/TLS variant is useful for Microsoft Azure SQL Managed Instance sources.\n By default, Microsoft Azure SQL Managed Instance enforce SSL connections, but\n you might not always be able to get access to the certificates that\n are needed to use the TLS variant.\n\nTLS\n\n: When Database Migration Service connects to your database, it declares that the\n connection is established over a secured channel. Database Migration Service doesn't\n present a client certificate to the server, but it does validate the server\n certificate authority (CA) to make sure that it's connecting to the right host.\n This prevents person-in-the-middle attacks.\n\n To use TLS authentication, you must provide the x509 PEM-encoded\n certificate of the certificate authority (CA) that signed your database\n server certificate.\n\nWhat's next\n-----------\n\n- Learn about encrypting source database connections. See\n [Configure encryption for source database connections](/database-migration/docs/sqlserver-to-alloydb/encrypt-source-connections).\n\n- To get a complete, step-by-step migration walkthrough, see\n [SQL Server to AlloyDB for PostgreSQL migration guide](/database-migration/docs/sqlserver-to-alloydb/guide)."]]
