Console
    Contact Us Start free

    Connect using public IP

    This page summarizes how to connect to databases served by AlloyDB for PostgreSQL using public IP. AlloyDB supports both inbound and outbound connections through two distinct options.

    You can configure your AlloyDB instance to have a public IPv4 address for inbound connections and optionally, accept connections from specific external IP addresses or a range of addresses, called authorized external networks . The authorized networks are not required when you are using AlloyDB Language Connectors or AlloyDB Auth Proxy to connect to your instance.

    These authorized networks are only available when using public IP. You can't specify a private network as an authorized external network.

    AlloyDB supports outbound connections when you enable outbound public IP on your instance. Outbound connectivity is useful for scenarios, such as migrating your database to AlloyDB from external sources.

    Create an AlloyDB instance

    To create an instance with public IP, do the following:

    Console

    1. Go to the Clusterspage.

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. In the Overviewpage, go to Instances in your cluster, and click Create primary instance.

    4. Configure your primary instance:

      1. In the Instance IDfield, enter an ID for your primary instance.
      2. Under Zonal availability, select one of the following options:
        1. To create a highly available production instance with automated failover, select Multiple zones (Highly available).
        2. To create a basic instance that does not need to be highly available, select Single zone.
      3. Select a machine type.
      4. Under Connectivity, select Enable Public IPto support inbound connections.
      5. Optional: To add outbound connectivity, under Outbound Public IP Addresses, select Enable Outbound Public IP.
      6. Optional: To configure SSL or connector requirements on the instance, expand Advanced configuration options, then do the following:
        1. By default, AlloyDB instances require all connections to use SSL encryption. To allow non-SSL connections, clear the Only allow SSL connectionscheckbox.
        2. To require that all database connections to the instance use the AlloyDB Auth Proxy or the secure connector libraries provided by Google, select Require connectors.
      7. Optional: To restrict direct connections to specific IP addresses, add a comma separated list of CIDR range:
        1. Under Authorized external networks, enter a comma separated list of CIDR range. For each CIDR range, enter a CIDR block, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.
      8. Click Create instance.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

    For more information about creating other instance types, see Create a read pool instance and Create a secondary instance .

    Use the gcloud alloydb instances create command to create an instance.

      gcloud 
  
 alloydb 
  
 instances 
  
 create 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 instance 
 - 
 type 
 = 
 PRIMARY 
  
 \ 
  
 -- 
 cpu 
 - 
 count 
 = 
  CPU_COUNT 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 project 
 = 
  PROJECT_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 ASSIGN_IPV4

    Replace the following:

    • INSTANCE_ID : the ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • CPU_COUNT : the number of vCPUs you want for the instance. Valid values include the following:
      • 2 : 2 vCPUs, 16 GB RAM
      • 4 : 4 vCPUs, 32 GB RAM
      • 8 : 8 vCPUs, 64 GB RAM
      • 16 : 16 vCPUs, 128 GB RAM
      • 32 : 32 vCPUs, 256 GB RAM
      • 64 : 64 vCPUs, 512 GB RAM
      • 96 : 96 vCPUs, 768 GB RAM
      • 128 : 128 vCPUs, 864 GB RAM
    • REGION_ID : the region where you want the instance placed.
    • CLUSTER_ID : the ID of the cluster you created earlier.

    Optional: Add authorized external networks

    Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.

      gcloud 
  
 alloydb 
  
 instances 
  
 create 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 instance 
 - 
 type 
 = 
 PRIMARY 
  
 \ 
  
 -- 
 cpu 
 - 
 count 
 = 
  CPU_COUNT 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 project 
 = 
  PROJECT_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 ASSIGN_IPV4 
  
 \ 
  
 -- 
 authorized 
 - 
 external 
 - 
 networks 
 = 
  CIDR_RANGE1 
 
 , 
  CIDR_RANGE2 
 
 ,...

    Replace the following:

    • CIDR_RANGE : a comma separated list of CIDR blocks, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.

    Optional: Add outbound connectivity

    Add the --outbound-public-ip flag to enable outbound public IP addresses. You can only enable outbound public IP for primary and secondary instances.

      gcloud 
  
 alloydb 
  
 instances 
  
 create 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 instance 
 - 
 type 
 = 
 PRIMARY 
  
 \ 
  
 -- 
 cpu 
 - 
 count 
 = 
  CPU_COUNT 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 project 
 = 
  PROJECT_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 ASSIGN_IPV4 
  
 -- 
 outbound 
 - 
 public 
 - 
 ip

    Enable public IP on an instance

    To enable inbound connectivity using public IP, do the following:

    Console

    1. Go to the Clusterspage.

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. In the Overviewpage that opens, go to the Instances in your clustersection, and locate your primary instance.

    4. Click Instance actions > Edit.

    5. Under Connectivity, select the Enable Public IPcheckbox to support inbound connections.

    6. Optional: Under Authorized external networks, enter a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.

      For each CIDR range, enter a CIDR block, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.

    7. Click Update instanceto save your changes.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

    Use the gcloud alloydb instances update command to enable public IP on your instance.

      gcloud 
  
 alloydb 
  
 instances 
  
 update 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 ASSIGN_IPV4

    Replace the following:

    • INSTANCE_ID : ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • CLUSTER_ID : ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • REGION_ID : region where you want the cluster placed.

    Optional: Add authorized external networks

    Add a comma separated list of CIDR range if you want to restrict direct connections to specific IP addresses.

      gcloud 
  
 alloydb 
  
 instances 
  
 update 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 ASSIGN_IPV4 
  
 \ 
  
 -- 
 authorized 
 - 
 external 
 - 
 networks 
 = 
  CIDR_RANGE1 
 
 , 
  CIDR_RANGE2 
 
 ,...

    Replace the following:

    • CIDR_RANGE : a comma separated list of CIDR blocks, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.

    Disable public IP on an instance

    When you disable public IP on your instance, AlloyDB removes the public IP address from your instance and clears the authorized networks list. Any inbound connections to your instance fail. Authorized external networks can only be used with public IP.

    To disable public IP, do the following:

    Console

    1. Go to the Clusterspage.

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. In the Overviewpage that opens, go to the Instances in your clustersection, and locate your primary instance.

    4. Click Instance actions > Edit.

    5. Under Connectivity, clear the Enable Public IPcheckbox to stop inbound connections.

    6. Optional: Under Authorized external networks, delete the comma separated CIDR range.

    7. Click Update instanceto save your changes.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

    Use the gcloud alloydb instances update command to enable public IP on your instance.

      gcloud 
  
 alloydb 
  
 instances 
  
 update 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 assign 
 - 
 inbound 
 - 
 public 
 - 
 ip 
 = 
 NO_PUBLIC_IP

    Replace the following:

    • INSTANCE_ID : ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • CLUSTER_ID : ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • REGION_ID : region where you want the cluster placed.

    Update the authorized external networks for an instance

    You can update the list of authorized external networks on your instance at any time. Public IP must be enabled on your instance when updating the authorized external networks list.

    Authorized external networks can't be added or removed individually, and the networks list is overridden each time the update list command is run. To update authorized external networks on your instance, you'll need to provide a comma-separated list of all authorized external networks each time you want to add or remove a network. Each authorized external network must be in CIDR format.

    To update the list of authorized external networks on your instance, do the following:

    Console

    1. Go to the Clusterspage

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. In the Overviewpage that opens, go to the Instances in your clustersection, and locate your primary instance.

    4. Click Instance actions > Edit.

    5. Under Authorized external networks, enter a comma separated list of CIDR range. For each CIDR range, enter a CIDR block, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.

    6. Click Update instanceto save your changes.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

    Use the gcloud alloydb instances update command to enable public IP on your instance.

      gcloud 
  
 alloydb 
  
 instances 
  
 update 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 authorized 
 - 
 external 
 - 
 networks 
 = 
  CIDR_RANGE1 
 
 , 
  CIDR_RANGE2 
 
 ,...

    Replace the following:

    • INSTANCE_ID : ID of the instance you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • CLUSTER_ID : ID of the cluster that you are creating. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • REGION_ID : region where you want the cluster placed.
    • CIDR_RANGE : comma separated list of CIDR blocks, such as 64.233.160.0/16 . To minimize the potential attack surface, keep the list of addresses as small as possible.

    Add outbound connectivity to an instance

    You can enable outbound public IP to establish a connection from your AlloyDB instance to external sources. AlloyDB generates two outbound public IP addresses that remain consistent until you disable outbound connectivity on your instance. You can only enable outbound public IP for primary and secondary instances.

    To enable outbound public IP, do the following:

    Console

    1. Go to the Clusterspage.

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. In the Overviewpage that opens, go to the Instances in your clustersection, and locate your primary instance.

    4. Click Instance actions > Edit.

    5. Under Outbound Public IP Connectivity, select the Enable Outbound Public IPcheckbox to support outbound connections.

    6. Click Update instanceto save your changes.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

    Use the gcloud alloydb instances update command to enable outbound public IP on your instance.

      gcloud 
  
 alloydb 
  
 instances 
  
 update 
  
  INSTANCE_ID 
 
  
 \ 
  
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
  
 -- 
 region 
 = 
  REGION_ID 
 
  
 \ 
  
 -- 
 outbound 
 - 
 public 
 - 
 ip

    Replace the following:

    • INSTANCE_ID : ID of the instance you are are adding outbound connectivity for.
    • CLUSTER_ID : ID of the cluster that you are adding outbound connectivity for.
    • REGION_ID : region where your cluster is placed.

    View connectivity details for an instance

    View the list of authorized external networks on your instance at any time and the assigned public IP address using the gcloud alloydb instances describe command. You can also view outbound public IP addresses, if you have enabled outbound connectivity on your instance.

    To view the connectivity details, do the following:

    Console

    1. Go to the Clusterspage.

      Go to Clusters

    2. Click a cluster in the Resource Namecolumn.

    3. Go to the Connectivitypage, where you can view information about your public IP configuration, including Public IP Connectivityand Outbound Public IP.

      To view your public IP information, you can also choose an instance from Instances in your clusterand then click View connectivity configuration.

    gcloud

    To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell .

      gcloud 
  
 alloydb 
  
 instances 
  
 describe 
  
  INSTANCE_ID 
 
  
 \ 
 -- 
 cluster 
 = 
  CLUSTER_ID 
 
  
 \ 
 -- 
 region 
 = 
  REGION_ID

    Replace the following:

    • INSTANCE_ID : ID of the instance you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • CLUSTER_ID : ID of the cluster that you are viewing. It must begin with a lowercase letter and can contain lowercase letters, numbers, and hyphens.
    • REGION_ID : region where you want the cluster placed.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: