To connect to the database from IP addresses outside your GDC Sandbox organization, follow the instructions at Connect to DB to enable the external connections.
You can use sshuttle to connect to your database with a local database client like psql:
Navigate to the Connectivity section of the Database Service page for the database cluster. This page includes:
The password of the administrator account (the username is dbsadmin)
Hostname and port number of the database cluster's primary endpoint
A psql command for connecting to the cluster (for PostgreSQL and AlloyDB Omni database clusters)
A link to download the certificate authority (CA) certificate of the
database cluster
Download the CA certificate from the GDC console in the
Connectivity section of the Database Service page for your
database cluster.
Configure your client to use the CA certificate to verify the database. For
psql clients, set the PGSSLROOTCERT env variable to the path of the
certificate file and the PGSSLMODE env variable to your preference:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Manage databases\n\nGDC Sandbox provides the Database Service to test and manage database\nclusters.\n\nTo create a database cluster, see\n[Choose a database engine type and create a database cluster](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/db-service#create).\n| **Note:** GDC Sandbox supports only PostgreSQL and AlloyDB databases.\n\nConnect to the Database\n-----------------------\n\nBy default, a database cluster only allows connection from within the user cluster and the same project.\n\nTo enable connections to all database clusters in your project from another project, see [Enable cross-project connections](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/db-service#cross_project_connections).\n\nTo connect to the database from IP addresses outside your GDC Sandbox organization, follow the instructions at [Connect to DB](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/db-service#connect) to enable the external connections.\n\nYou can use `sshuttle` to connect to your database with a local database client like `psql`:\n\n1. Navigate to the **Connectivity** section of the **Database Service** page for the database cluster. This page includes:\n\n - The password of the administrator account (the username is `dbsadmin`)\n - Hostname and port number of the database cluster's primary endpoint\n - A `psql` command for connecting to the cluster (for PostgreSQL and AlloyDB Omni database clusters)\n - A link to download the certificate authority (CA) certificate of the database cluster\n2. Download the CA certificate from the GDC console in the\n **Connectivity** section of the **Database Service** page for your\n database cluster.\n\n3. Configure your client to use the CA certificate to verify the database. For\n `psql` clients, set the `PGSSLROOTCERT` env variable to the path of the\n certificate file and the `PGSSLMODE` env variable to your preference:\n\n export PGSSLROOTCERT=\u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003eaccounts_cert.pem\n export PGSSLMODE=\"verify-full\"\n\n4. Initiate a secure tunnel. If you have a running instance of `sshuttle` as described in [Connect to your instance](/distributed-cloud/sandbox/latest/connect), terminate that process.\n\n sshuttle -r zone1-org-1-data@\u003cvar translate=\"no\"\u003eGDC_SANDBOX_INSTANCE_NAME\u003c/var\u003e --no-latency-control \\\n --ssh-cmd 'gcloud compute ssh --project \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e --zone \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e --tunnel-through-iap' \\\n 10.200.0.0/16 --dns\n\n Replace the following with the values provided to you by the GDC Sandbox team:\n - \u003cvar translate=\"no\"\u003eGDC_SANDBOX_INSTANCE_NAME\u003c/var\u003e: the name of your GDC Sandbox instance.\n - \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e: the project containing your GDC Sandbox environment.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone containing your GDC Sandbox environment.\n5. While the tunnel is active, run the command using `psql` in a different terminal\n\n PGPASSWORD=\u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e psql -h \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e -p \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e -U \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e -d postgres\n\n Replace the following variables:\n - \u003cvar translate=\"no\"\u003epath/to/\u003c/var\u003e: the path to the `accounts_cert.pem` certificate.\n - \u003cvar translate=\"no\"\u003eDB_PASSWORD\u003c/var\u003e: the password from the console UI.\n - \u003cvar translate=\"no\"\u003eDB_HOSTNAME\u003c/var\u003e: the database hostname from the console.\n - \u003cvar translate=\"no\"\u003eDB_PORT\u003c/var\u003e: the database port number from the console.\n - \u003cvar translate=\"no\"\u003eDB_USERNAME\u003c/var\u003e: the database username from the console."]]
