Configure SSL enforcement mode on AlloyDB instances
Stay organized with collections
Save and categorize content based on your preferences.
This page shows how to configure the SSL enforcement mode on AlloyDB for PostgreSQL instances.
By default, an AlloyDB instance accepts only connections using SSL.
AlloyDB uses SSL to establish secure, authenticated, and encrypted
connections to AlloyDB instances. In addition, a configurable SSL
enforcement mode ensures that all database connections to an instance use SSL
encryption.
This topic covers how to configure the SSL enforcement mode on an existing instance.
For information about how to configure the SSL enforcement mode when you create
an instance, see create a primary instance.
In the Overview page, go to the Instances in your cluster
section, and click Edit primary.
In the Edit primary instance pane, expand Advanced configuration options.
Enable Only allow SSL connections. By default, this option is enabled.
Click Update instance.
gcloud
Use the gcloud alloydb instances update
command with the --ssl-mode=ENCRYPTED_ONLY argument to allow only encrypted
database connections to an AlloyDB instance.
INSTANCE_ID: The ID of the instance that you are updating.
REGION_ID: The region where the instance is placed.
CLUSTER_ID: The ID of the cluster where the instance is placed.
PROJECT_ID: The ID of the project where the cluster is placed.
To allow unencrypted database connections to an instance, use the
gcloud alloydb instances update command with the --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED
argument.
If the command returns an error message that includes the phrase
invalid cluster state MAINTENANCE, then the cluster is undergoing routine
maintenance. This temporarily disallows instance reconfiguration. Run the command
again after the cluster returns to a READY state. To check the cluster's
status, see View cluster details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eAlloyDB instances, by default, only accept connections that use SSL, ensuring secure, authenticated, and encrypted communication.\u003c/p\u003e\n"],["\u003cp\u003eYou can configure the SSL enforcement mode on an existing AlloyDB instance to enforce or allow only encrypted connections.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Cloud Console allows you to enforce SSL connections by enabling the "Only allow SSL connections" option within the instance's advanced configuration.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud alloydb instances update\u003c/code\u003e command offers options to either require encrypted connections (\u003ccode\u003e--ssl-mode=ENCRYPTED_ONLY\u003c/code\u003e) or allow both encrypted and unencrypted connections (\u003ccode\u003e--ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eTo configure SSL, you'll need a project enabled for AlloyDB and one of the required IAM roles: \u003ccode\u003eroles/alloydb.admin\u003c/code\u003e, \u003ccode\u003eroles/owner\u003c/code\u003e, or \u003ccode\u003eroles/editor\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Configure SSL enforcement mode on AlloyDB instances\n\nThis page shows how to configure the SSL enforcement mode on AlloyDB for PostgreSQL instances.\n\nBy default, an AlloyDB instance accepts only connections using SSL.\n\nAlloyDB uses SSL to establish secure, authenticated, and encrypted\nconnections to AlloyDB instances. In addition, a configurable SSL\nenforcement mode ensures that all database connections to an instance use SSL\nencryption.\n\nThis topic covers how to configure the SSL enforcement mode on an existing instance.\nFor information about how to configure the SSL enforcement mode when you create\nan instance, see [create a primary instance](/alloydb/docs/instance-primary-create).\n\n\nBefore you begin\n----------------\n\n- The Google Cloud project you are using must have been [enabled to access AlloyDB](/alloydb/docs/project-enable-access).\n- You must have one of these IAM roles in the Google Cloud project you are using:\n - `roles/alloydb.admin` (the AlloyDB Admin predefined IAM role)\n - `roles/owner` (the Owner basic IAM role)\n - `roles/editor` (the Editor basic IAM role)\n\n If you don't have any of these roles, contact your Organization Administrator to request\n access.\n\n\u003cbr /\u003e\n\nConfigure the SSL enforcement mode on an instance\n-------------------------------------------------\n\n\nTo use the gcloud CLI, you can\n[install and initialize](/sdk/docs/install) the Google Cloud CLI, or you\ncan use [Cloud Shell](/shell/docs/using-cloud-shell).\n\n\u003cbr /\u003e\n\n### Console\n\n1. Go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n2. Click a cluster in the **Resource name** column.\n3. In the **Overview** page, go to the **Instances in your cluster** section, and click **Edit primary**.\n4. In the **Edit primary instance** pane, expand **Advanced configuration options**.\n5. Enable **Only allow SSL connections**. By default, this option is enabled.\n6. Click **Update instance**.\n\n### gcloud\n\nUse the [`gcloud alloydb instances update`](/sdk/gcloud/reference/beta/alloydb/instances/update)\ncommand with the `--ssl-mode=ENCRYPTED_ONLY` argument to allow only encrypted\ndatabase connections to an AlloyDB instance. \n\n gcloud alloydb instances update \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --ssl-mode=ENCRYPTED_ONLY\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e: The ID of the instance that you are updating.\n- \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e: The region where the instance is placed.\n- \u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e: The ID of the cluster where the instance is placed.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The ID of the project where the cluster is placed.\n\nTo allow unencrypted database connections to an instance, use the\n`gcloud alloydb instances update` command with the `--ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED`\nargument. \n\n gcloud alloydb instances update \u003cvar translate=\"no\"\u003eINSTANCE_ID\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eCLUSTER_ID\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED\n\nIf the command returns an error message that includes the phrase\n`invalid cluster state MAINTENANCE`, then the cluster is undergoing routine\nmaintenance. This temporarily disallows instance reconfiguration. Run the command\nagain after the cluster returns to a `READY` state. To check the cluster's\nstatus, see [View cluster details](/alloydb/docs/cluster-view)."]]
