Configure encryption for source database connections
Stay organized with collections Save and categorize content based on your preferences.

The following sections provide steps you need to perform to configure SSL/TLS encryption for your source network connections. Refer to the section relevant for your source database:

Encrypt connections to self-hosted SQL Server databases
Encrypt connections to Amazon RDS for SQL Server
Encrypt connections to Microsoft Azure databases
Encrypt connections to Cloud SQL for SQL Server

Encrypt connections to self-hosted SQL Server databases

The following sections contain details to help you configure SSL/TLS encryption for connections to self-hosted SQL Server sources.

Use basic encryption

To use the basic encryption for connections to a self-hosted source, do the following:

Make sure your source database server meets the requirements to use SSL certificates. For more information, see Certificate requirements for SQL Server in the Microsoft documentation.
Obtain a TLS certificate signed by a trusted Certificate Authority (CA). Consult your organization policies to make sure you use the right channels to get the certificate.

It is possible to use self-signed certificates for this purpose (for example generated with the openssl command line tool), but we don't recommend them for production use. Your security systems might flag self-signed certificates as a vulnerability.
On your source database server, do the following:
1. Install the server certificate by using SQL Server Configuration Manager. For more information, see Install a certificate for a single SQL Server instance in the Microsoft documentation.
  Now when client applications connect to your server, they can request to use SSL connections. Your server presents its certificate when Database Migration Service establises the connection.
2. Optional: Enforce SSL encryption for all client connections.
  
  To further increase security, you can configure your server to always require that client applications use encrypted connections. For more information, see Enforce SSL connections for SQL Server in the Microsoft documentation.
You don't need to prepare any more certificate files. Make sure you select the Basic encryption type when you create the source connection profile.

Use TLS variant

To use TLS encryption for connections to a self-hosted source, do the following:

Make sure your source database server meets the requirements to use SSL certificates. For more information, see Certificate requirements for SQL Server in the Microsoft documentation.
Obtain an SSL/TLS certificate signed by a trusted Certificate Authority (CA). Consult your organization policies to make sure you use the right channels to get the certificate. Make sure you save the x509 PEM-encoded root CA certificate that signs your server certificate. You need to provide it for the source connection profile in Database Migration Service.

It is possible to use self-signed certificates for this purpose (for example generated with the openssl command line tool), but we don't recommend them for production use. Your security systems might flag self-signed certificates as a vulnerability.
On your source database server, do the following:
1. Install the server certificate by using SQL Server Configuration Manager. For more information, see Install a certificate for a single SQL Server instance in the Microsoft documentation.
  Now when client applications connect to your server, they can request to use SSL connections. Your server presents its certificate when Database Migration Service establises the connection.
2. Optional: Enforce SSL encryption for all client connections.
  
  To further increase security, you can configure your server to always require that client applications use encrypted connections. For more information, see Enforce SSL connections for SQL Server in the Microsoft documentation.
At a later stage, when you create the source connection profile, do the following:
1. Select TLS for the encryption type.
2. In the Source CA certificate section, click Browse and upload the x509 PEM-encoded root CA certificate that signs your server certificate.

Encrypt connections to Amazon RDS for SQL Server

The following sections contain details to help you configure SSL/TLS encryption for connections to Amazon RDS for SQL Server sources.

Use basic encryption

By default, Amazon RDS for SQL Server uses SSL/TLS encryption when the connecting client requests it in the connection string. You can optionally enforce SSL/TLS for all connections, but you don't need to configure anything on your Amazon RDS source to use basic encryption.

To use basic encryption, select the Basic encryption type when you create the source connection profile.

Use TLS variant

To use TLS encryption for connections to Amazon RDS for SQL Server, do the following:

By default, Amazon RDS for SQL Server uses SSL/TLS encryption when the connecting client requests it in the connection string. You don't need to enable any specific configuration on your source.
Optional: Enforce SSL encryption for all client connections.

To further increase security, you can configure your server to always require that client applications use encrypted connections. For more information, see Forcing connections to your DB instance to use SSL in the Amazon RDS documentation.
Download the x509 PEM-encoded root CA certificate that signs your server certificate. This certificate is included in the certificate bundles provided by AWS. For more information, see Download certificate bundles in the Amazon RDS documentation.
At a later stage, when you create the source connection profile, do the following:
1. Select TLS for the encryption type.
2. In the Source CA certificate section, click Browse and upload the x509 PEM-encoded root CA certificate you downloaded in the certificate bundle.

Encrypt connections to Microsoft Azure databases

The following sections contain details to help you configure SSL/TLS encryption for connections to Microsoft Azure SQL Managed Instance or Microsoft Azure SQL Database source databases.

Use basic encryption

By default, Microsoft Azure SQL Managed Instance and Microsoft Azure SQL Database require that all client connections use SSL/TLS encryption. You don't need to configure anything on your source database.

It's not possible to connect to SQL Server Azure sources without encryption. When you create the source connection profile, at minimum you must use the Basic encryption type.

Use TLS variant

To use TLS encryption for connections to SQL Server sources in Microsoft Azure, do the following:

By default, Microsoft Azure SQL Managed Instance and Microsoft Azure SQL Database require that all client connections use SSL/TLS encryption. You don't need to configure anything on your source database.
Download the x509 PEM-encoded root CA certificate that signs your server certificate. For SQL Server sources on Microsoft Azure, you need to use the Baltimore CyberTrust Root. For more information, see Azure Certificate Authority details in the Microsoft documentation.
At a later stage, when you create the source connection profile, do the following:
1. Select TLS for the encryption type.
2. In the Source CA certificate section, click Browse and upload the x509 PEM-encoded Baltimore CyberTrust Root certificate.

Encrypt connections to Cloud SQL for SQL Server

The following sections contain details to help you configure SSL/TLS encryption for connections to Cloud SQL for SQL Server sources.

Use basic encryption

By default, Cloud SQL for SQL Server instances accept both encrypted and unencrypted client connections. You can optionally enforce SSL/TLS for all connections, but you don't need to configure anything on your Cloud SQL source to use basic encryption.

To use basic encryption, select the Basic encryption type when you create the source connection profile.

Use TLS variant

To use TLS encryption for connections to Cloud SQL for SQL Server sources, do the following:

Console

By default, Cloud SQL for SQL Server instances accept both encrypted and unencrypted client connections. You don't need to enable any specific configuration on your source.
Optional: Enforce SSL encryption for all client connections.

To further increase security, you can configure your server to always require that client applications use encrypted connections. For more information, see Enforce SSL/TLS encryption in the Cloud SQL for SQL Server documentation.
Download the x509 PEM-encoded root CA certificate that signs your server certificate:
1. In the Google Cloud console, go to the Cloud SQL Instances page.
  Go to Cloud SQL Instances
2. Click the name of your Cloud SQL for SQL Server source instance.
  The instance Overview page opens.
3. Go to the Connections > Security tab.
4. In the Manage server CA certificates section, click Download certificates.
  The server-ca.pem file downloads to your machine.
At a later stage, when you create the source connection profile, do the following:
1. Select TLS for the encryption type.
2. In the Source CA certificate section, click Browse and upload the server-ca.pem you downloaded from your Cloud SQL for SQL Server instance.

gcloud

Download the server certificate file.
Cloud SQL creates a server certificate automatically when you create the instance. You need to download this file to later use it in the source connection profile. Run the following command (click the link to expand):
gcloud sql ssl server-ca-certs list

Before using any of the command data below, make the following replacements:
- CLOUDSQL_INSTANCE_NAME with the name of your Cloud SQL instance.
- DIRECTORY_PATH with the path to the folder where you want to save the server certificate.
Execute the following command:
Linux, macOS, or Cloud Shell

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running either gcloud init; or gcloud auth login and gcloud config set project.
gcloud beta sql ssl server-ca-certs list \ --format="value(cert)" \ --instance=CLOUDSQL_INSTANCE_NAME > \ DIRECTORY_PATH/server-ca.pem
Windows (PowerShell)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running either gcloud init; or gcloud auth login and gcloud config set project.
gcloud beta sql ssl server-ca-certs list ` --format="value(cert)" ` --instance=CLOUDSQL_INSTANCE_NAME > ` DIRECTORY_PATH/server-ca.pem
Windows (cmd.exe)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running either gcloud init; or gcloud auth login and gcloud config set project.
gcloud beta sql ssl server-ca-certs list ^ --format="value(cert)" ^ --instance=CLOUDSQL_INSTANCE_NAME > ^ DIRECTORY_PATH/server-ca.pem
Result:
The server-ca.pem file is now downloaded to your machine.
At a later stage, when you create the source connection profile, do the following:
1. Select TLS for the encryption type.
2. In the Source CA certificate section, click Browse and upload the server-ca.pem you downloaded from your Cloud SQL for SQL Server instance.

What's next

All source connections can be configured to use SSL/TLS encryption, regardless of the networking method you use. To learn more about source database network connectivity, see Source database networking methods.
To get a complete, step-by-step migration walkthrough, see SQL Server to Cloud SQL for PostgreSQL migration guide.

Configure encryption for source database connections Stay organized with collections Save and categorize content based on your preferences.

Encrypt connections to self-hosted SQL Server databases

Use basic encryption

Use TLS variant

Encrypt connections to Amazon RDS for SQL Server

Use basic encryption

Use TLS variant

Encrypt connections to Microsoft Azure databases

Use basic encryption

Use TLS variant

Encrypt connections to Cloud SQL for SQL Server

Use basic encryption

Use TLS variant

Console

gcloud

gcloud sql ssl server-ca-certs list

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

What's next

Configure encryption for source database connections
Stay organized with collections Save and categorize content based on your preferences.

`gcloud sql ssl server-ca-certs list`