This page summarizes how to connect to databases served by AlloyDB for PostgreSQL using public IP. AlloyDB supports both inbound and outbound connections through two distinct options.
You can configure your AlloyDB instance to have a public IPv4 address for inbound connections and optionally, accept connections from specific external IP addresses or a range of addresses, called authorized external networks. These authorized networks are only available when using public IP. You can't specify a private network as an authorized external network.
AlloyDB supports outbound connections when you enable outbound public IP on your instance. Outbound connectivity is useful for scenarios, such as migrating your database to AlloyDB from external sources.
Create an AlloyDB instance
To create an instance with public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page, go to Instances in your cluster, and click Create primary instance.
Configure your primary instance:
- In the Instance ID field, enter an ID for your primary instance.
- Under Zonal availability, select one of the following options:
- To create a highly available production instance with automated failover, select Multiple zones (Highly available).
- To create a basic instance that does not need to be highly available, select Single zone.
- Select a machine type.
- Under Connectivity, select Enable Public IP to support inbound connections.
- Optional: To add outbound connectivity, under Outbound Public IP Addresses, select Enable Outbound Public IP.
- Optional: To configure SSL or connector requirements on the instance,
expand Advanced configuration options, then do the following:
- By default, AlloyDB instances require all connections to use SSL encryption. To allow non-SSL connections, clear the Only allow SSL connections checkbox.
- To require that all database connections to the instance use the AlloyDB Auth Proxy or the secure connector libraries provided by Google, select Require connectors.
- Optional: To restrict direct connections to specific IP addresses,
add a comma separated list of CIDR range:
- Under Authorized external networks, enter a comma separated
list of CIDR range. For each CIDR range, enter a CIDR block, such
as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
- Under Authorized external networks, enter a comma separated
list of CIDR range. For each CIDR range, enter a CIDR block, such
as
- Click Create instance.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
For more information about creating other instance types, see Create a read pool instance and Create a secondary instance.
Use the gcloud alloydb instances create command to create an instance.
gcloud alloydb instances create INSTANCE_ID \
--instance-type=PRIMARY \
--cpu-count=CPU_COUNT \
--region=REGION_ID \
--cluster=CLUSTER_ID \
--project=PROJECT_ID \
--assign-inbound-public-ip=ASSIGN_IPV4
Replace the following:
INSTANCE_ID: the ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CPU_COUNT: the number of vCPUs you want for the instance. Valid values include the following:2: 2 vCPUs, 16 GB RAM4: 4 vCPUs, 32 GB RAM8: 8 vCPUs, 64 GB RAM16: 16 vCPUs, 128 GB RAM32: 32 vCPUs, 256 GB RAM64: 64 vCPUs, 512 GB RAM96: 96 vCPUs, 768 GB RAM128: 128 vCPUs, 864 GB RAM
REGION_ID: the region where you want the instance placed.CLUSTER_ID: the ID of the cluster you created earlier.
Optional: Add authorized external networks
Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4 \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
CIDR_RANGE: a comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
Optional: Add outbound connectivity
Add the --outbound-public-ip flag to enable outbound public IP addresses.
You can only enable outbound public IP for primary and secondary instances.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--outbound-public-ip
Enable public IP on an instance
To enable inbound connectivity using public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Connectivity, select the Enable Public IP checkbox to support inbound connections.
Optional: Under Authorized external networks, enter a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
For each CIDR range, enter a CIDR block, such as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
Optional: Add authorized external networks
Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=ASSIGN_IPV4 \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
CIDR_RANGE: a comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
Disable public IP on an instance
When you disable public IP on your instance, AlloyDB removes the public IP address from your instance and clears the authorized networks list. Any inbound connections to your instance fail. Authorized external networks can only be used with public IP.
To disable public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Connectivity, clear the Enable Public IP checkbox to stop inbound connections.
Optional: Under Authorized external networks, delete the comma separated CIDR range.
Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--assign-inbound-public-ip=NO_PUBLIC_IP
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
Update the authorized external networks for an instance
You can update the list of authorized external networks on your instance at any time. Public IP must be enabled on your instance when updating the authorized external networks list.
Authorized external networks can't be added or removed individually, and the networks list is overridden each time the update list command is run. To update authorized external networks on your instance, you'll need to provide a comma-separated list of all authorized external networks each time you want to add or remove a network. Each authorized external network must be in CIDR format.
To update the list of authorized external networks on your instance, do the following:
Console
Go to the Clusters page
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Authorized external networks, enter a comma separated list of CIDR range. For each CIDR range, enter a CIDR block, such as
64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--authorized-external-networks=CIDR_RANGE1,CIDR_RANGE2,...
Replace the following:
INSTANCE_ID: ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.CIDR_RANGE: comma separated list of CIDR blocks, such as64.233.160.0/16. To minimize the potential attack surface, keep the list of addresses as small as possible.
Add outbound connectivity to an instance
You can enable outbound public IP to establish a connection from your AlloyDB instance to external sources. AlloyDB generates two outbound public IP addresses that remain consistent until you disable outbound connectivity on your instance. You can only enable outbound public IP for primary and secondary instances.
To enable outbound public IP, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
In the Overview page that opens, go to the Instances in your cluster section, and locate your primary instance.
Click Instance actions > Edit.
Under Outbound Public IP Connectivity, select the Enable Outbound Public IP checkbox to support outbound connections.
Click Update instance to save your changes.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the gcloud alloydb instances update
command to enable outbound public IP on your instance.
gcloud alloydb instances update INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID \
--outbound-public-ip
Replace the following:
INSTANCE_ID: ID of the instance you are are adding outbound connectivity for.CLUSTER_ID: ID of the cluster that you are adding outbound connectivity for.REGION_ID: region where your cluster is placed.
View connectivity details for an instance
View the list of authorized external networks on your instance at any time and
the assigned public IP address using the gcloud alloydb instances
describe command. You can
also view outbound public IP addresses, if you have enabled outbound
connectivity on your instance.
To view the connectivity details, do the following:
Console
Go to the Clusters page.
Click a cluster in the Resource Name column.
Go to the Instances in your cluster section.
You can find the Public IP resource that shows the public IP address and the Authorized External Networks resource that shows the authorized external network range, if configured. The outbound public IP addresses are populated in the Outbound Public IP Addresses resource.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
gcloud alloydb instances describe INSTANCE_ID \
--cluster=CLUSTER_ID \
--region=REGION_ID
Replace the following:
INSTANCE_ID: ID of the instance you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.CLUSTER_ID: ID of the cluster that you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.REGION_ID: region where you want the cluster placed.
What's next
- Connection overview
- Organization policies and custom constraints
- Connect using the AlloyDB Auth Proxy
- Connect using AlloyDB Language Connectors