Stay organized with collections
Save and categorize content based on your preferences.
By default, a database cluster only allows connections from within the
user cluster and the same project. To allow
external connections from IP addresses outside of your Google Distributed Cloud air-gapped organization:
Console
Sign in to the GDC console with an account bound to the
project-networkpolicy-admin role to create firewall rules.
From the main menu of the GDC console, choose Firewall.
In the User created rules section, click Create.
In Firewall rule details, create a name for your firewall rule.
In the Direction of traffic dialog, choose INGRESS.
In the Target dialog, choose Service and then select dbs.
In the From dialog, choose Outside the organization and input the
CIDR range from which you would like to allow external connectivity.
Click Create.
Wait for the Status column of the new rule to show Ready.
Sign in to the GDC console with an account bound to the
project-db-admin
From the main menu of the GDC console, choose Database Service.
Select the database cluster that you want to enable external connections to.
Check the Allow external connections line of the Connectivity section
of the Database cluster overview to see whether external connections are
already allowed.
In the Connectivity section of the Database cluster overview, click
editEdit.
Select the Allow external connections checkbox.
Click SAVE.
API
Create a ProjectNetworkPolicy resource to allow external connections:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enable external connections\n\nBy default, a database cluster only allows connections from within the\n[user cluster](/distributed-cloud/hosted/docs/latest/gdch/resources/resource-hierarchy#cluster) and the same project. To allow\nexternal connections from IP addresses outside of your Google Distributed Cloud air-gapped organization: \n\n### Console\n\n1. Sign in to the GDC console with an account bound to the `project-networkpolicy-admin` role to create firewall rules.\n2. From the main menu of the GDC console, choose **Firewall**.\n3. In the **User created rules** section, click **Create**.\n4. In **Firewall rule details**, create a name for your firewall rule.\n5. In the **Direction of traffic** dialog, choose **INGRESS**.\n6. In the **Target** dialog, choose **Service** and then select **dbs**.\n7. In the **From** dialog, choose **Outside the organization** and input the CIDR range from which you would like to allow external connectivity.\n8. Click **Create**.\n9. Wait for the **Status** column of the new rule to show **Ready**.\n10. Sign in to the GDC console with an account bound to the `project-db-admin`\n11. From the main menu of the GDC console, choose **Database Service**.\n12. Select the database cluster that you want to enable external connections to.\n13. Check the **Allow external connections** line of the **Connectivity** section of the Database cluster overview to see whether external connections are already allowed.\n14. In the **Connectivity** section of the Database cluster overview, click edit **Edit**.\n15. Select the **Allow external connections** checkbox.\n16. Click **SAVE**.\n\n### API\n\n1. Create a `ProjectNetworkPolicy` resource to allow external connections:\n\n apiVersion: networking.gdc.goog/v1\n kind: ProjectNetworkPolicy\n metadata:\n name: allow-external-dbs\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eUSER_PROJECT\u003c/span\u003e\u003c/var\u003e\n spec:\n ingress:\n - from:\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCIDR_RANGE\u003c/span\u003e\u003c/var\u003e\n policyType: Ingress\n subject:\n managedServices:\n matchTypes:\n - dbs\n subjectType: ManagedService\n ```\n\n2. Update the database cluster to enable connections external to the organization:\n\n kubectl patch dbcluster.\u003cvar translate=\"no\"\u003eDBENGINE_NAME\u003c/var\u003e.dbadmin.gdc.goog \u003cvar translate=\"no\"\u003eDBCLUSTER_NAME\u003c/var\u003e -p '{\"spec\":{\"allowExternalIncomingTraffic\":true}}' --type=merge -n \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e: the name of the user project where the database cluster was created.\n- \u003cvar translate=\"no\"\u003eCIDR_RANGE\u003c/var\u003e: the CIDR range from which you would like to allow external connectivity.\n- \u003cvar translate=\"no\"\u003eDBENGINE_NAME\u003c/var\u003e: the name of the database engine. This is one of `alloydbomni`, `postgresql` or `oracle`.\n- \u003cvar translate=\"no\"\u003eDBCLUSTER_NAME\u003c/var\u003e: the name of the database cluster."]]
