Configure network connectivity to Cloud SQL for SQL Server sources
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure network connectivity to Cloud SQL for SQL Server
sources for heterogeneous SQL Server to Cloud SQL for PostgreSQL
migrations with Database Migration Service.
There are two different methods you can use to configure the necessary
network connectivity for migrations from Cloud SQL for SQL Server sources:
For Cloud SQL sources, it is possible to configure connectivity over
a forward-SSH tunnel, but we don't recommend this method. If you want to
use a connection over private networks, use the
Private IP connectivity with Virtual Private Cloud peering method.
To learn more about source database network connectivity, see
Source networking methods overview.
Configure IP allowlist connectivity
To configure IP allowlist connectivity for Cloud SQL for SQL Server sources,
follow these steps:
Enable public IP for your source Cloud SQL instance and add
Database Migration Service public IP ranges to the list of authorized networks.
Make sure authorize Database Migration Service public IP addresses for the
region where you use Database Migration Service.
In the Define connection details section, enter your
Cloud SQL instance public IP.
In the Define connectivity method section,
select IP allowlist.
Configure connectivity over a forward-SSH tunnel
Forward-SSH tunnels work well if you want to create a connection
that is more secure than a public IP connection, but your source private IP
can't be reached directly from the Google Cloud network to create
a Virtual Private Cloud peering connection. Cloud SQL sources reside within
Google Cloud networks, so if you want to use a private connection, we recommend
that you
configure private connectivity for your source instead.
If you can't use Virtual Private Cloud peering, consider using the
IP allowlist connectivity method.
We don't recommend forward-SSH tunnels for Cloud SQL source
connectivity. Adding an SSH server to your architecture
can increase the complexity of your migration configuration, but in the case
of Cloud SQL sources it doesn't increase security. You still need to expose
the SSH server to the internet, but can't secure it with the
authorized networks feature
like you can if you set up Cloud SQL for public IP connectivity.
Configure private connectivity with VPC peering
Private connectivity with Cloud SQL for SQL Server sources for heterogeneous
migrations uses Virtual Private Cloud (VPC) peering to create a connection
between Database Migration Service and your source database over VPC networks
in Google Cloud. Transitive peering isn't supported, so for
this connectivity method to work, you need to set up a reverse proxy
Virtual Machine (VM) in your Virtual Private Cloud network.
To use private connectivity with VPC peering, follow these steps:
This is the network that you peer with Database Migration Service and your source
database server. You need to have enough space to allocate IP ranges
for both components.
Ensure your source Cloud SQL instance has a private IP enabled.
When you enable a private IP for a Cloud SQL instance, you select a VPC
network to peer with. Make sure you choose the network where you later
intend to create the Database Migration Service private connectivity configuration.
You can't later disable private IP for the Cloud SQL instance.
For more information, see
Enable private IP for Cloud SQL instances.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis document outlines network connectivity options for migrating from SQL Server to Cloud SQL for PostgreSQL using Database Migration Service, specifically for Cloud SQL for SQL Server sources.\u003c/p\u003e\n"],["\u003cp\u003eTwo primary methods for configuring network connectivity are detailed: using a public IP allowlist, and using private IP connectivity with Virtual Private Cloud (VPC) peering.\u003c/p\u003e\n"],["\u003cp\u003eWhile forward-SSH tunnels are an option, they are not recommended for Cloud SQL sources due to increased complexity without a proportional increase in security compared to other methods.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring private connectivity with VPC peering requires a reverse proxy VM within your VPC network, enabling a secure connection between Database Migration Service and your Cloud SQL instance.\u003c/p\u003e\n"],["\u003cp\u003eThe document guides users through enabling public IP or private IP on their source Cloud SQL instance, adding Database Migration Service IP ranges or creating private connectivity configurations respectively, and correctly setting up the source connection profile in Database Migration Service.\u003c/p\u003e\n"]]],[],null,["# Configure network connectivity to Cloud SQL for SQL Server sources\n\nThis page describes how to configure network connectivity to Cloud SQL for SQL Server\nsources for heterogeneous SQL Server to Cloud SQL for PostgreSQL\nmigrations with Database Migration Service.\n\nThere are two different methods you can use to configure the necessary\nnetwork connectivity for migrations from Cloud SQL for SQL Server sources:\n\n- [Public IP allowlist](#ip-allowlist#)\n\n- [Private IP connectivity with Virtual Private Cloud peering](#private-vpc-peering)\n\nFor Cloud SQL sources, it is possible to configure connectivity over\na forward-SSH tunnel, but we don't recommend this method. If you want to\nuse a connection over private networks, use the\n*Private IP connectivity with Virtual Private Cloud peering* method.\nTo learn more about source database network connectivity, see\n[Source networking methods overview](/database-migration/docs/sqlserver-to-csql-pgsql/networking-methods-source).\n\nConfigure IP allowlist connectivity\n-----------------------------------\n\nTo configure IP allowlist connectivity for Cloud SQL for SQL Server sources,\nfollow these steps:\n\n1. Enable public IP for your source Cloud SQL instance and add\n Database Migration Service public IP ranges to the list of authorized networks.\n Make sure authorize Database Migration Service public IP addresses for the\n region where you use Database Migration Service.\n\n For more information, see the following pages:\n - [Enable public IP](/sql/docs/sqlserver/configure-ip#add) in the Cloud SQL documentation.\n - [List of Database Migration Service public IP addresses](/database-migration/docs/sqlserver-to-csql-pgsql/ip-allowlists-and-regions).\n2. At a later stage, when you [create the source connection profile](/database-migration/docs/sqlserver-to-csql-pgsql/create-source-connection-profile), do the following:\n 1. In the **Define connection details** section, enter your Cloud SQL instance public IP.\n 2. In the **Define connectivity method** section, select **IP allowlist**.\n\nConfigure connectivity over a forward-SSH tunnel\n------------------------------------------------\n\nForward-SSH tunnels work well if you want to create a connection\nthat is more secure than a public IP connection, but your source private IP\ncan't be reached directly from the Google Cloud network to create\na Virtual Private Cloud peering connection. Cloud SQL sources reside within\nGoogle Cloud networks, so if you want to use a private connection, we recommend\nthat you [configure private connectivity](#private-vpc-peering) for your source instead.\n\nIf you can't use Virtual Private Cloud peering, consider using the\n[IP allowlist connectivity method](#ip-allowlist).\nWe don't recommend forward-SSH tunnels for Cloud SQL source\nconnectivity. Adding an SSH server to your architecture\ncan increase the complexity of your migration configuration, but in the case\nof Cloud SQL sources it doesn't increase security. You still need to expose\nthe SSH server to the internet, but can't secure it with the\n[authorized networks feature](/sql/docs/postgres/authorize-networks)\nlike you can if you set up Cloud SQL for public IP connectivity.\n\nConfigure private connectivity with VPC peering\n-----------------------------------------------\n\nPrivate connectivity with Cloud SQL for SQL Server sources for heterogeneous\nmigrations uses Virtual Private Cloud (VPC) peering to create a connection\nbetween Database Migration Service and your source database over VPC networks\nin Google Cloud. Transitive peering isn't supported, so for\nthis connectivity method to work, you need to set up a reverse proxy\nVirtual Machine (VM) in your Virtual Private Cloud network.\n\nTo use private connectivity with VPC peering, follow these steps:\n\n1. In your project, ensure you have a Virtual Private Cloud network with\n [Virtual Private Cloud network with private services access enabled](/vpc/docs/configure-private-services-access).\n\n This is the network that you peer with Database Migration Service and your source\n database server. You need to have enough space to allocate IP ranges\n for both components.\n2. Ensure your source Cloud SQL instance has a private IP enabled.\n\n When you enable a private IP for a Cloud SQL instance, you select a VPC\n network to peer with. Make sure you choose the network where you later\n intend to create the Database Migration Service private connectivity configuration.\n You can't later disable private IP for the Cloud SQL instance.\n For more information, see\n [Enable private IP for Cloud SQL instances](/sql/docs/postgres/configure-private-ip).\n3. In your Virtual Private Cloud network, create and configure a reverse proxy VM. For more information, see [Establish private connectivity using proxies](/database-migration/docs/sqlserver-to-csql-pgsql/configure-src-connection-reverse-proxy).\n4. In Database Migration Service, [create a private connectivity configuration](/database-migration/docs/sqlserver-to-csql-pgsql/create-private-connectivity-configuration) to peer with the VPC network where your Cloud SQL has the private IP assigned.\n5. At a later stage, when you [create the source connection profile](/database-migration/docs/sqlserver-to-csql-pgsql/create-source-connection-profile), do the following:\n 1. In the **Define connection details** section, enter the private IP of your source Cloud SQL instance.\n\n You can view your instance's **private IP address** when you\n [view instance summary information](/sql/docs/sqlserver/instance-info).\n\n\n 2. In the **Define connectivity method** section, select **Private connectivity (VPC peering)**.\n 3. From the drop-down menu, select the private connectivity configuration you created in the previous step.\n\nWhat's next\n-----------\n\n- Learn about source connection profiles. See\n [Create a source connection profile](/database-migration/docs/sqlserver-to-csql-pgsql/create-source-connection-profile).\n\n- To get a complete, step-by-step migration walkthrough, see\n [SQL Server to Cloud SQL for PostgreSQL migration guide](/database-migration/docs/sqlserver-to-csql-pgsql/guide)."]]
