Improve instance security by enforcing SSL or TLS encryption
Stay organized with collections
Save and categorize content based on your preferences.
The AlloyDB enforce SSL mode recommender helps you detect instances which are critical and have a risk of data loss.
This page describes the AlloyDB enforce SSL mode recommender, how this recommender works, and how to use it.
The AlloyDB enforce SSL mode recommender analyzes instance metadata.
If the instance is a production instance and does not enforce encryption requirements for direct connections,
it is recommended to enable SSL mode.
Recommendations are generated daily.
Before you begin
Before you can view recommendations and insights, do the following:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REQUIRE_SSL
Replace the following:
PROJECT_ID: Your project ID.
LOCATION: A region where your istances are located, such as us-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enforcing SSL mode using the Google Cloud console,
gcloud CLI, or the Recommender API.
To view insights and detailed recommendations, follow these steps:
Console
On the Clusters page, click the Allows direct unencrypted connections recommendation for an instance in the Issues column.
The recommendation panel appears, which contains insights and detailed recommendations.
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=SSL_NOT_REQUIRED
Replace the following:
PROJECT_ID: Your project ID.
LOCATION : A region where your instances are located, such as us-central1.
Apply the recommendation
Evaluate the recommendation carefully and do any of the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThe AlloyDB enforce SSL mode recommender identifies production instances that do not enforce encryption for direct connections and suggests enabling SSL mode to prevent potential data loss.\u003c/p\u003e\n"],["\u003cp\u003eRecommendations to enforce SSL mode are generated daily based on the analysis of instance metadata and can be viewed through the Google Cloud console, \u003ccode\u003egcloud CLI\u003c/code\u003e, or the Recommender API.\u003c/p\u003e\n"],["\u003cp\u003eTo view and manage these recommendations, you need to enable the Recommender API and have the appropriate IAM roles, specifically \u003ccode\u003erecommender.alloydbViewer\u003c/code\u003e for viewing and \u003ccode\u003erecommender.alloydbAdmin\u003c/code\u003e or \u003ccode\u003ealloydb.admin\u003c/code\u003e for applying them.\u003c/p\u003e\n"],["\u003cp\u003eYou can implement the recommendation by enforcing SSL/TLS mode on your instance via the Google Cloud console or \u003ccode\u003egcloud CLI\u003c/code\u003e, to secure direct connections to your production instances.\u003c/p\u003e\n"],["\u003cp\u003eGemini in Databases is a pre-GA feature and will have limited support, and falls under the "Pre-GA Offerings Terms" as outlined in the General Service Terms.\u003c/p\u003e\n"]]],[],null,["# Improve instance security by enforcing SSL or TLS encryption\n\nThe AlloyDB enforce SSL mode [recommender](/recommender/docs/overview) helps you detect instances which are critical and have a risk of data loss.\n\nThis page describes the AlloyDB enforce SSL mode recommender, how this recommender works, and how to use it.\n\nThe AlloyDB enforce SSL mode recommender analyzes instance metadata.\nIf the instance is a production instance and does not enforce encryption requirements for direct connections,\nit is recommended to enable SSL mode.\n\nRecommendations are generated daily.\n\nBefore you begin\n----------------\n\nBefore you can view recommendations and insights, do the following:\n\n- Ensure that you [enable the Recommender API](/recommender/docs/enabling).\n\n- To get the permissions to view and work with insights and recommendations,\n ensure that you have the required [Identity and Access Management (IAM) roles](/iam/docs/understanding-roles#cloud-alloydb-roles).\n\n \u003cbr /\u003e\n\n See [Grant access to other users](/alloydb/docs/user-grant-access) for more information.\n\nList the recommendations\n------------------------\n\nYou can list the enforce SSL mode recommendations\nusing the Google Cloud console, `gcloud CLI`, or the Recommender API. \n\n### Console\n\n1. In the Google Cloud console, go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n\n For more information, see\n [Find recommendations with Recommendation Hub](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **Security** card, click **Allows direct unencrypted connections**.\n\n A list of clusters with instances to which the **Allows direct unencrypted connections** recommendation applies is displayed.\n\n### gcloud CLI\n\nTo list the enforce SSL mode recommendations using gcloud CLI, run the [`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list) command as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.alloydb.instance.SecurityRecommender \\\n--filter=recommenderSubtype=REQUIRE_SSL\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\n### API\n\nTo list enforce SSL mode recommendations using the [Recommendations API](/recommender/docs/using-api), call the\n[`recommendations.list`](/recommender/docs/reference/rest/v1/projects.locations.recommenders.recommendations/list)\nmethod as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REQUIRE_SSL\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your istances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n------------------------------------------\n\nYou can view insights and detailed recommendations about instances\nthat require enforcing SSL mode using the Google Cloud console,\n`gcloud CLI`, or the Recommender API.\n\nTo view insights and detailed recommendations, follow these steps: \n\n### Console\n\nOn the **Clusters** page, click the **Allows direct unencrypted connections** recommendation for an instance in the **Issues** column.\nThe recommendation panel appears, which contains insights and detailed recommendations.\n\n### gcloud CLI\n\nRun the [`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list) command as follows: \n\n```\n\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.alloydb.instance.SecurityInsight \\\n--filter=insightSubtype=SSL_NOT_REQUIRED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\n### API\n\nCall the [`insights.list`](/recommender/docs/reference/rest/v1/projects.locations.insightTypes.insights/list) method as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=SSL_NOT_REQUIRED\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\nApply the recommendation\n------------------------\n\nEvaluate the recommendation carefully and do any of the following: \n\n### Console\n\nTo implement the recommendation, [enforce SSL/TLS mode](/alloydb/docs/instance-ssl#configure_the_ssl_enforcement_mode_on_an_instance) on your instance.\n\n### gcloud CLI\n\nTo implement the recommendation, [enforce SSL/TLS mode](/alloydb/docs/instance-ssl#configure_the_ssl_enforcement_mode_on_an_instance) on your instance.\n\nWhat's next\n-----------\n\n- [Google Cloud recommenders](/recommender/docs/recommenders)"]]
