Connect to an instance using Private Service Connect

This page describes how to use Private Service Connect to connect to an AlloyDB for PostgreSQL instance.

You can use Private Service Connect to connect to either a primary AlloyDB instance or any of its read replicas, or a secondary AlloyDB instance from multiple Virtual Private Cloud (VPC) networks that belong to different groups, teams, projects, or organizations.

Required roles

You must grant all the following roles to a user in your VPC network to be able to connect to an AlloyDB instance.

Role	Description
`compute.networkAdmin`	Grants full control over the VPC network that initiates a connection to an AlloyDB instance. If you use Private Service Connect to connect to an AlloyDB instance from multiple VPC networks, then each network has its own administrator.
`dns.admin`	Grants full control over Cloud DNS resources, including DNS zones and records.
`alloydb.admin`	Provides full control of an AlloyDB instance and controls the instance over its lifecycle.
`alloydb.databaseUser` (Optional)	Provides access to the AlloyDB instance. If you connect through the AlloyDB Auth Proxy client, then you must have the AlloyDB Client role. If you connect directly, then you don't need any Identity and Access Management (IAM) roles and permissions.
`Custom AlloyDB role` (Optional)	If you're using a custom role, then in addition to granting the `compute.networkAdmin` and `dns.admin` roles, grant the following permissions: `alloydb.clusters.create`: Provides access to enable Private Service Connect for a cluster. `alloydb.instances.create` & `alloydb.instances.update`: Provides access to add a list of allowed projects and to set a network attachment URI for an instance.

Create a Private Service Connect endpoint

Private Service Connect endpoints are internal IP addresses in a consumer VPC network, which clients in that network can access directly. Clients can use these endpoints to connect to AlloyDB instances.

To have AlloyDB create the Private Service Connect endpoint automatically, do the following:

Reuse an existing service connection policy or create a service connection policy in your VPC networks. With this policy, you can provision Private Service Connect endpoints automatically.
Create an AlloyDB cluster and instance with Private Service Connect enabled for the instance, and configure the instance to create Private Service Connect endpoints automatically.
Retrieve the endpoint for the instance. This lets you use the endpoint to connect to the instance.
(Optional) Update an existing AlloyDB cluster and instance with Private Service Connect enabled to generate endpoints automatically.

You can also create the Private Service Connect endpoint manually. For more information see, Create the endpoint manually.

Create the endpoint automatically

The next few sections explain how to configure your instance to let AlloyDB create the Private Service Connect endpoint automatically.

Create a service connection policy

You can reuse an existing service connection policy or create a service connection policy using the Google Cloud console or the Google Cloud CLI.

A service connection policy lets you authorize a specified service class to create a Private Service Connect endpoint in your consumer VPC network. You can use the service connection policy to let AlloyDB create Private Service Connect endpoints automatically.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Connection Policies tab.
Click Create connection policy.
Enter a Name for the connection policy.
Specify the service class by doing the following:
1. For Source service class, select Google services.
2. From the Service class menu, select google-cloud-alloydb because AlloyDB is the managed service for the connection policy.
In the Target endpoints scope section, select a Network and Region this policy applies to.
In the Policy section, select one or more subnets from the Subnetworks menu. The subnets are used to allocate IP addresses for endpoints.
Optional: Specify a Connection limit for the policy. The limit determines how many endpoints AlloyDB can create for this connection policy. If you don't specify a connection limit, then there's no limit.
Click Create policy.

gcloud

To create a service connection policy, use the service-connection-policies create command.

gcloud network-connectivity service-connection-policies create POLICY_NAME \
    --network=NETWORK \
    --project=PROJECT_ID \
    --region=REGION \
    --service-class=SERVICE_CLASS \
    --subnets=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNETS \
    --psc-connection-limit=LIMIT \
    --description="DESCRIPTION" \
    --producer-instance-location=PRODUCER_INSTANCE_LOCATION \
    --allowed-google-producers-resource-hierarchy-level=LIST_OF_NODES

Replace the following:

POLICY_NAME: the name of your service connection policy.
NETWORK: the network this policy applies to.
PROJECT_ID: the project ID or number of the VPC network's project. For Shared VPC networks, you must deploy service connection policies in the host project because these policies aren't supported in service projects.
REGION: the region this policy applies to. The same policy must exist for every region where you want to automate service connectivity.
SERVICE_CLASS: the producer-supplied resource identifier of the service class. For AlloyDB, the service class is google-cloud-alloydb.
SUBNETS: one or more regular consumer subnets that are used to allocate IP addresses for Private Service Connect endpoints. These IP addresses are allocated automatically and returned to the subnet's pool as managed service instances are created and deleted. The subnets must be in the same region as the service connection policy. If multiple connection policies share the same region, then you can reuse the same subnetwork in these policies. You can enter multiple subnets in a comma-separated list.
LIMIT: the maximum number of endpoints that you can create with this policy. If you don't specify a limit, then there's no limit.
DESCRIPTION: an optional description of the service connection policy.
PRODUCER_INSTANCE_LOCATION: specifies whether the policy automates connections to AlloyDB instances. You can set this value one of the following:
- none (default): the AlloyDB instance is in the same project as the service connection policy (or in the case of Shared VPC, in connected projects).
- custom-resource-hierarchy-levels: requires that you set the Resource Manager location path for the projects that you want to automate connectivity for through the allowed-google-producers-resource-hierarchy-level parameter.
LIST_OF_NODES: set this parameter if your producer instance location is set to custom-resource-hierarchy-levels. This parameter is a list of projects, folders, and organizations where the instances for which you want to automate connectivity reside. The list is in the form of projects/PROJECT_ID, folders/FOLDER_ID, or organizations/ORGANIZATION_ID.

For example, the following command creates a service connection policy for the
google-cloud-alloydb service class that allocates IP addresses from the managed-services subnet. A maximum of 10 Private Service Connect endpoints can be created with this policy. The endpoints must be created in projects that are in the same organization as the managed service instance. The AlloyDB instance is located in the myproject project.

gcloud network-connectivity service-connection-policies create alloydb-policy \
    --network=default \
    --project=my-project \
    --region=us-central1 \
    --service-class=google-cloud-alloydb \
    --subnets=managed-service-subnet \
    --psc-connection-limit=10 \
    --producer-instance-location=custom-resource-hierarchy-levels \
    --allowed-google-producers-resource-hierarchy-level=projects/myproject

Create an AlloyDB instance

You can create an instance with Private Service Connect enabled for the instance and configure the instance to create endpoints automatically using the console, gcloud CLI, or terraform.

Console

In the Google Cloud console, go to the Clusters page.

Go to Clusters
Click Create cluster.
In Cluster ID, enter my-cluster.
Enter a password. Take note of this password because you use it in this quickstart.
Retain the default database version.
Select the us-central1 (Iowa) region.
Retain the default instance ID, my-cluster-primary.
In Zonal availability, retain Single zone as the selected option. While we don't recommend a single zone instance for production, you use a single zone in this quickstart to minimize costs. For more information, see Reduce costs using basic instances.
Select the 2 vCPU, 16 GB machine type.
Retain private IP connectivity.
1. Select Private Service Connect (PSC).
2. Click Add an endpoint.
3. Select the project where you want to create the endpoint.
4. Select the network.
5. Click Check policy for service connection policy information.
Note: Ensure that the service connection policy is created. You can create the policy before or after creating the instance.
Retain the default settings under Network security.
Don't make changes in Show advanced options.
Click Create cluster. It might take several minutes for AlloyDB to create the cluster and display it on the primary cluster Overview page.

gcloud

To create the cluster, use the gcloud alloydb clusters create command.

gcloud alloydb clusters create CLUSTER_ID \
  --password=PASSWORD \
  --region=REGION_ID \
  --project=PROJECT_ID \
  --enable-private-service-connect

Replace the following:

CLUSTER_ID: the ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
PASSWORD: the password to use for the default postgres user.
REGION_ID: the region where you want the cluster placed.
PROJECT_ID: the ID of the project where you want the cluster placed.

This command initiates a long-running operation, returning an operation ID.

To create the primary instance, use the gcloud alloydb instances create command.

gcloud alloydb instances create INSTANCE_ID \
    --instance-type=PRIMARY \
    --cpu-count=CPU_COUNT \
    --availability-type=AVAILABILITY \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --allowed-psc-projects=ALLOWED_PROJECT_LIST \
    --psc-network-attachment-uri=NETWORK_ATTACHMENT_URI \
    --psc-auto-connections=network=CONSUMER_NETWORK,project=CONSUMER_PROJECT

Replace the following:

INSTANCE_ID: the ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
CPU_COUNT: the number of vCPUs you want for the instance. Valid values include the following:
- 2: 2 vCPUs, 16 GB RAM
- 4: 4 vCPUs, 32 GB RAM
- 8: 8 vCPUs, 64 GB RAM
- 16: 16 vCPUs, 128 GB RAM
- 32: 32 vCPUs, 256 GB RAM
- 64: 64 vCPUs, 512 GB RAM
- 96: 96 vCPUs, 768 GB RAM
- 128: 128 vCPUs, 864 GB RAM
AVAILABILITY: indicates whether or not this instance should be highly available (HA), with nodes in multiple zones. Valid values include:
- REGIONAL: creates an HA instance with separate active and standby nodes, and automated failover between them. This is the default value, suitable for production environments.
- ZONAL: creates a basic instance, containing only one node, and no automated failover.
REGION_ID: the region where you want the instance placed.
CLUSTER_ID: the ID of the cluster you created earlier.
ALLOWED_PROJECT_LIST: the comma-separated list of project IDs or project numbers that you want to allow access the instance—for example, my-project-1, 12345,my-project-n.
NETWORK_ATTACHMENT_URI (Optional): the full resource name of the network attachment URI that you create for outbound connectivity. For example: projects/PROJECT_ID/regions/REGION_ID/networkAttachments/NETWORK_ATTACHMENT_ID.
CONSUMER_NETWORK: the path to the VPC network where Private Service Connect endpoints need are to be created. For example: projects/my-host-project/global/networks/default. This option applies when you are creating endpoints automatically. Ensure that the service connection policy is created. You can create the policy before or after creating the instance.
CONSUMER_PROJECT: the project where the Private Service Connect endpoint is created. If you're using a Shared VPC network, then this can be either the host project or the service project. Any projects that you specify in the auto-connection parameters are added to your allowed projects automatically. Optionally, for any projects where you want to create Private Service Connect endpoints manually, you can add these projects to your list of allowed projects.

A secondary cluster created for a Private Service Connect enabled primary cluster automatically inherits the Private Service Connect configuration. For more information, see Create a secondary cluster.

Terraform

To create an instance within your database cluster, use a Terraform resource.

resource "google_alloydb_instance" "default" {
  cluster       = google_alloydb_cluster.default.name
  instance_id   = "alloydb-instance"
  instance_type = "PRIMARY"
  machine_config {
    cpu_count = 2
  }
  psc_instance_config {
  allowed_consumer_projects = ["123456789"]
  psc_interface_configs {
    network_attachment_resource = google_compute_network_attachment.default.id
  }
  }
}

resource "google_compute_network" "default" {
    name = "alloydb-network"
    auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "default" {
    name = "alloydb-subnetwork"
    region = "us-central1"
    network = google_compute_network.default.id
    ip_cidr_range = "10.0.0.0/16"
}

resource "google_compute_network_attachment" "default" {
  name                  = "alloydb-network-attachment"
  region                = "us-central1"
  connection_preference = "ACCEPT_AUTOMATIC"
  subnetworks = [
    google_compute_subnetwork.default.self_link
  ]
}

data "google_project" "project" {}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Retrieve the endpoint

By retrieving the internal IP address, which is the Private Service Connect endpoint for an instance, you can use this endpoint to connect to the instance.

To view information about an instance, including the IP address that's the Private Service Connect endpoint for the instance, use the gcloud alloydb instances describe command:

gcloud alloydb instances describe INSTANCE_NAME \
--project=PROJECT_ID \
--format='json(settings.ipConfiguration.pscConfig.pscAutoConnections)'

Make the following replacements:

INSTANCE_NAME: the name of the AlloyDB instance. If this instance has Private Service Connect enabled for it, then Private Service Connect endpoints in VPC networks can connect to it.
PROJECT_ID: the ID or project number of the Google Cloud project that contains the instance.

In the response, note the value that appears next to the pscConfig:pscAutoConnections:ipAddress field. This value is the internal IP address that's also the Private Service Connect endpoint for the instance.

Update an instance for creating endpoints automatically

To update an instance to create endpoints automatically, pass the --psc-auto-connections parameter to the gcloud alloydb instances update command.

Configure outbound Connectivity

If you want to enable outbound connectivity for your AlloyDB instance with Private Service Connect enabled, then you must set the network attachment URI for the instance. For more information, see Configure outbound connectivity.

Create the endpoint manually

The next few sections explain how to create a Private Service Connect endpoint manually.

Create an AlloyDB instance

You can create an instance with Private Service Connect enabled for the instance and configure the instance to create endpoints automatically using the console, gcloud CLI, or terraform.

Console

In the Google Cloud console, go to the Clusters page.

Go to Clusters
Click Create cluster.
In Cluster ID, enter my-cluster.
Enter a password. Take note of this password because you use it in this quickstart.
Retain the default database version.
Select the us-central1 (Iowa) region.
Retain the default instance ID, my-cluster-primary.
In Zonal availability, retain Single zone as the selected option. While we don't recommend a single zone instance for production, you use a single zone in this quickstart to minimize costs. For more information, see Reduce costs using basic instances.
Select the 2 vCPU, 16 GB machine type.
Retain private IP connectivity.
1. Select Private Service Connect(PSC).
2. Click Add an endpoint.
3. Select the project where you want to create the endpoint.
4. Select the network.
5. Click Check policy for service connection policy information.
Note: Ensure that the service connection policy is created. You can create the policy before or after creating the instance.
Retain the default settings under Network security.
Don't make changes in Show advanced options.
Click Create cluster. It might take several minutes for AlloyDB to create the cluster and display it on the primary cluster Overview page.

gcloud

To create the cluster, use the gcloud alloydb clusters create command.

gcloud alloydb clusters create CLUSTER_ID \
  --password=PASSWORD \
  --region=REGION_ID \
  --project=PROJECT_ID \
  --enable-private-service-connect

Replace the following:

CLUSTER_ID: the ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
PASSWORD: the password to use for the default postgres user.
REGION_ID: the region where you want the cluster placed.
PROJECT_ID: the ID of the project where you want the cluster placed.

This command initiates a long-running operation, returning an operation ID.

To create the primary instance, use the gcloud alloydb instances create command.

gcloud alloydb instances create INSTANCE_ID \
    --instance-type=PRIMARY \
    --cpu-count=CPU_COUNT \
    --availability-type=AVAILABILITY \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --allowed-psc-projects=ALLOWED_PROJECT_LIST \
    --psc-network-attachment-uri=NETWORK_ATTACHMENT_URI \

Replace the following:

INSTANCE_ID: the ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
CPU_COUNT: the number of vCPUs you want for the instance. Valid values include the following:
- 2: 2 vCPUs, 16 GB RAM
- 4: 4 vCPUs, 32 GB RAM
- 8: 8 vCPUs, 64 GB RAM
- 16: 16 vCPUs, 128 GB RAM
- 32: 32 vCPUs, 256 GB RAM
- 64: 64 vCPUs, 512 GB RAM
- 96: 96 vCPUs, 768 GB RAM
- 128: 128 vCPUs, 864 GB RAM
AVAILABILITY: indicates whether or not this instance should be highly available (HA), with nodes in multiple zones. Valid values include:
- REGIONAL: creates an HA instance with separate active and standby nodes, and automated failover between them. This is the default value, suitable for production environments.
- ZONAL: creates a basic instance, containing only one node, and no automated failover.
REGION_ID: the region where you want the instance placed.
CLUSTER_ID: the ID of the cluster you created earlier.
ALLOWED_PROJECT_LIST: the comma separated list of project IDs or project number that you want to allow access the instance—for example, my-project-1, 12345,my-project-n.
NETWORK_ATTACHMENT_URI (Optional): the full resource name of the network attachment URI that you create for outbound connectivity. For example: projects/PROJECT_ID/regions/REGION_ID/networkAttachments/NETWORK_ATTACHMENT_ID.
CONSUMER_NETWORK: the path to the VPC network from where Private Service Connect endpoints need to be created. For example: projects/my-host-project/global/networks/default. This option applies when you are creating endpoints automatically. Ensure that the service connection policy is created. You can create the policy before or after creating the instance.
CONSUMER_PROJECT: the project where the Private Service Connect endpoint is created. If you're using a Shared VPC network, then this can be either the host project or the service project. Any projects that you specify in the auto-connection parameters are added to your allowed projects automatically. Optionally, for any projects where you want to create Private Service Connect endpoints manually, you can add these projects to your list of allowed projects.

Terraform

To create an instance within your database cluster, use a Terraform resource.

resource "google_alloydb_instance" "default" {
  cluster       = google_alloydb_cluster.default.name
  instance_id   = "alloydb-instance"
  instance_type = "PRIMARY"
  machine_config {
    cpu_count = 2
  }
  psc_instance_config {
  allowed_consumer_projects = ["123456789"]
  psc_interface_configs {
    network_attachment_resource = google_compute_network_attachment.default.id
  }
  }
}

resource "google_compute_network" "default" {
    name = "alloydb-network"
    auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "default" {
    name = "alloydb-subnetwork"
    region = "us-central1"
    network = google_compute_network.default.id
    ip_cidr_range = "10.0.0.0/16"
}

resource "google_compute_network_attachment" "default" {
  name                  = "alloydb-network-attachment"
  region                = "us-central1"
  connection_preference = "ACCEPT_AUTOMATIC"
  subnetworks = [
    google_compute_subnetwork.default.self_link
  ]
}

data "google_project" "project" {}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Get the service attachment

After creating an AlloyDB instance with Private Service Connect enabled, get the service attachment URL and use it to create the Private Service Connect endpoint.

Use the gcloud alloydb instances describe command to view details about an instance.

gcloud alloydb instances describe INSTANCE_ID \
 --cluster=CLUSTER_ID \
 --region=REGION_ID

Replace the following:

INSTANCE_ID: the ID of the instance.
CLUSTER_ID: the ID of the cluster.
REGION_ID: the region in which the AlloyDB cluster is deployed.

A sample response for the command is as follows:

  "pscInstanceConfig": {
    "serviceAttachmentLink:": "https://www.googleapis.com/compute/v1/projects/my-project/regions/my-region/serviceAttachments/my-service-attachment-id"
        "allowedConsumerProjects": {
          "45678",
          "12345",
              "67890",
            },
            "pscDnsName": "11111111-1111-1111-1111-111111111111.22222222-2222-2222-2222-222222222222.alloydb-psc.goog."
          }

The serviceAttachmentLink parameter holds the value of the service attachment URL.

Create a Private Service Connect endpoint

To create a Private Service Connect endpoint, pass the service attachment URL along with a unique endpoint name. For more information about creating a Private Service Connect endpoint, see Create an endpoint.

You can also reserve an internal IP address for the Private Service Connect endpoint using the gcloud compute addresses create command, and then use the reserved IP address when creating the endpoint.

Configure outbound connectivity

To enable outbound connectivity, set the network attachment URI when you create or update an AlloyDB instance. This URI allows secure connectivity between your project and the AlloyDB instance during outbound operations such as migrations.

Create the network attachment

You can create a network attachment that can accept connections automatically(ACCEPT_AUTOMATIC) or manually (ACCEPT_MANUAL). For more information about creating a network attachment, see Create and manage network attachments.

If you choose to create a network attachment that accepts connections automatically, then you don't need to set a list of accepted projects explicitly. For accepting connections manually, you must add the service-owned project number of the project where your AlloyDB instance is located to the list of accepted projects.

To find the service-owned project number, run the following command:

gcloud alpha alloydb clusters describe CLUSTER_ID --region=REGION_ID

The following is a sample response:

pscConfig:
pscEnabled: true
serviceOwnedProjectNumber: 123456789012

After you identify the service-owned project number, add the project to the list of accepted projects and then create the network attachment.

Mae sure that the region of the network attachment is the same as the region of the AlloyDB instance. In addition, the subnet used to create the network attachment must belong to the RFC 1918 IP ranges, which are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

Update an instance for outbound connectivity

To enable outbound connectivity for an existing AlloyDB instance with Private Service Connect enabled, pass the --psc-network-attachment-uri parameter to the gcloud alloydb instances update command.

AlloyDB instances created prior to March 01, 2025, can't be updated to enable outbound connections. As an alternative approach, we recommend using either of the following options:

Create a regional Cross-Region Replica (CRR) replica of your primary instance with outbound connectivity enabled. Then, perform a switchover to designate the replica instance as the new primary instance.
Perform a backup of your existing AlloyDB cluster and primary instance. Then, create a new AlloyDB cluster and primary instance with outbound connectivity enabled. Finally, perform a restore the previously created backup into the new cluster.

Deactivate outbound connectivity

To deactivate outbound connectivity for an existing AlloyDB instance, pass the --clear-psc-network-attachment-uri parameter to the gcloud alloydb instances update command.

Connect to an AlloyDB instance

You can connect to an AlloyDB instance with Private Service Connect enabled by using one of the following options:

an internal IP address,
a DNS record
AlloyDB Auth Proxy
AlloyDB Language Connectors

Connecting using DNS records requires creating a DNS record in a private DNS zone in the corresponding VPC network. After you create a DNS record, you can use this record to connect to a Private Service Connect enabled instance directly using a DNS record, using AlloyDB Auth Proxy, or using AlloyDB Language Connectors.

Configure a DNS managed zone and a DNS record

To configure a DNS managed zone and a DNS record in your network, follow these steps:

To view summary information about an AlloyDB instance, including the DNS name of the instance, use the gcloud alloydb instances describe command:
```
gcloud alloydb instances describe INSTANCE_ID \
--cluster=CLUSTER_ID --region=REGION_ID
```
Replace the following:
- INSTANCE_ID: The ID of the instance.
- CLUSTER_ID: The ID of the cluster.
In the response, verify that the DNS name appears. The DNS name has the INSTANCE_UID.PROJECT_UID.REGION_NAME.alloydb-psc.goog. pattern.
To create a private DNS zone, use the gcloud dns managed-zones create command. This zone is associated with the VPC network that's used to connect to the AlloyDB instance through the Private Service Connect endpoint.

Note: For each VPC network, create a separate DNS zone.
```
gcloud dns managed-zones create ZONE_NAME \
--project=PROJECT_ID \
--description=DESCRIPTION \
--dns-name=DNS_NAME \
--networks=NETWORK_NAME \
--visibility=private
```
Replace the following:
- ZONE_NAME: the name of the DNS zone.
- PROJECT_ID: the ID or project number of the Google Cloud project that contains the zone.
- DESCRIPTION: a description of the zone (for example, a DNS zone for the AlloyDB instance).
- DNS_NAME: the DNS name for the zone, such as INSTANCE_UID.PROJECT_UID.REGION_NAME.alloydb-psc.goog..
- NETWORK_NAME: the name of the VPC network. In case of Shared VPC network, set to the fully qualified path of the VPC network—for example, projects/cymbal-project/global/networks/shared-vpc-network.
After you create the Private Service Connect endpoint, to create a DNS record in the zone, use the gcloud dns record-sets create command:
```
gcloud dns record-sets create DNS_NAME \
--project=PROJECT_ID \
--type=RRSET_TYPE \
--rrdatas=RR_DATA \
--zone=ZONE_NAME
```
Replace the following:
- DNS_NAME: the DNS name that you retrieved earlier in this procedure.
- RRSET_TYPE: the resource record type of the DNS record set (for example, A).
- RR_DATA: the IP address allocated for the Private Service Connect endpoint (for example, 198.51.100.5). You can also enter multiple values such as rrdata1 rrdata2 rrdata3 (for example, 10.1.2.3 10.2.3.4 10.3.4.5).

Connect directly using a DNS record

After you create a Private Service Connect endpoint, and create a DNS record, you can connect directly using the DNS record.

To retrieve the DNS record of the Private Service Connect endpoint, use the gcloud compute addresses describe command:
```
gcloud compute addresses describe DNS_RECORD \
--project=PROJECT_ID \
--region=REGION_NAME
```
Replace the following:
- DNS_RECORD: the DNS record for the endpoint.
- PROJECT_ID: the ID or project number of the Google Cloud project that contains the endpoint.
- REGION_NAME: the region name for the endpoint.
To connect to the AlloyDB instance, use the DNS record.
```
psql -U USERNAME -h DNS_RECORD
```
Replace the following:
- USERNAME: the name of the user that's connecting to the instance.
- DNS_RECORD: the endpoint's DNS record.

Connect using AlloyDB Auth Proxy

The AlloyDB Auth Proxy is a connector that lets you make authorized, encrypted connections to AlloyDB databases. The AlloyDB Auth Proxy works by having a local client running in the local environment. Your application communicates with the AlloyDB Auth Proxy with the standard database protocol used by your database.

When you set the --psc flag while starting the Auth Proxy client, the AlloyDB Auth Proxy uses the DNS record that you created to connect to the Private Service Connect enabled instance.

Make sure that you start the Auth Proxy client by passing the instance URI that you retrieve using the gcloud alloydb instances list command, and set the --psc flag.

For more information about connecting to an instance using Auth Proxy, see Connect using the Auth Proxy.

Connect using AlloyDB Language Connectors

AlloyDB Language Connectors are libraries that provide automated mTLS with TLS 1.3 and Identity and Access Management (IAM) authorization when connecting to an AlloyDB instance.

After the Language Connector determines the instance supports Private Service Connect, it uses the DNS record that you created to connect to the instance.