Configure an AlloyDB for PostgreSQL database for CDC
Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how to configure change data capture (CDC) to
stream data from an AlloyDB for PostgreSQL database to asupported destination,
such as BigQuery or Cloud Storage.
Set up connectivity between Datastream and AlloyDB
To enable Datastream to connect to the AlloyDB instance, you need to set up a TCP proxy in the consumer project. TheTCP proxy imageis publicly available to all customers.
Launch the proxy container:
Activate Cloud Shell in the consumer project.
Run the following script to create the TCP proxy and disable bridge
networking to avoid connectivity issues:
Enable logical decoding for the AlloyDB primary instance. In Google Cloud, set
the value for thealloydb.logical_decodingflag toON. For information about
updating the database flags, seeConfigure an instance's database flags.
Connect to the AlloyDB instance using the TCP proxy IP address by running the
following command from any VM on the same VPC:
psql-hPROXY_IP\-UDB_USER\-dDB_NAME
Replace the following:
PROXY_IP: The IP address of the TCP proxy.
DB_USER: The username for the AlloyDB database.
DB_NAME: The AlloyDB database name.
Run the following command to grant replication privileges to your database user:
ALTER USERDB_USERWITH REPLICATION;
Create a publication. We recommend that you create a publication only for the
tables that you want to replicate. This allows Datastream to read-only
the relevant data, and lowers the load on the database and Datastream:
PUBLICATION_NAME: The name of your publication. You'll
need to provide this name when you create a stream in the Datastream
stream creation wizard.
SCHEMA: The name of the schema that contains the table.
TABLE: The name of the table that you want to replicate.
You can also create a publication for all tables in your database. Note that
this approach increases the load on both the source database and Datastream:
CREATE PUBLICATIONPUBLICATION_NAMEFOR ALL TABLES;
Create a replication slot by executing the following command.
REPLICATION_SLOT_NAME: The name of your replication slot.
You'll need to provide this name when you create a stream in the Datastream
stream creation wizard.
Create a Datastream user
To create a Datastream user, enter the following PostgreSQL command:
USER_NAME: The name of the Datastream user that you want
to create.
USER_PASSWORD: The login password for the Datastream user
that you want to create.
Grant the following privileges to the user you created:
GRANT SELECT ON ALL TABLES IN SCHEMASCHEMA_NAMETOUSER_NAME;
GRANT USAGE ON SCHEMASCHEMA_NAMETOUSER_NAME;
ALTER DEFAULT PRIVILEGES IN SCHEMASCHEMA_NAMEGRANT SELECT ON TABLES TOUSER_NAME;
Replace the following:
SCHEMA_NAME: The name of the schema to which you want to grant
the privileges.
USER_NAME: The user to whom you want to grant the privileges.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide explains how to configure an AlloyDB for PostgreSQL database to work with Datastream, beginning with setting up a TCP proxy for connectivity.\u003c/p\u003e\n"],["\u003cp\u003eTo enable Datastream's connection to the AlloyDB instance, a TCP proxy must be launched in the consumer project using a provided script, replacing placeholders with appropriate values.\u003c/p\u003e\n"],["\u003cp\u003eLogical decoding must be enabled on the AlloyDB primary instance, along with granting replication privileges to a designated database user via the provided command, and creating a publication for tables to be replicated.\u003c/p\u003e\n"],["\u003cp\u003eA dedicated Datastream user must be created with specific privileges, including replication login and select permissions on tables and schemas, using the provided commands.\u003c/p\u003e\n"],["\u003cp\u003eAfter completing the setup, you can use the TCP proxy IP address for the connection profile, and create a stream in the Datastream stream creation wizard using the publication and replication slot names.\u003c/p\u003e\n"]]],[],null,["# Configure an AlloyDB for PostgreSQL database\n\nThe following sections cover how to configure an AlloyDB for PostgreSQL database.\n\nSet up connectivity between Datastream and AlloyDB\n--------------------------------------------------\n\nTo enable Datastream to connect to the AlloyDB instance, you need to set up a TCP proxy in the consumer project. The [TCP proxy image](http://gcr.io/dms-images/tcp-proxy) is publicly available to all customers.\n\n1. Launch the proxy container:\n\n 1. Activate Cloud Shell in the consumer project.\n 2. Run the following script to create the TCP proxy and disable bridge networking to avoid connectivity issues:\n\n gcloud compute instances create-with-container \\\n --zone=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e \\\n --container-image gcr.io/dms-images/tcp-proxy \\\n --tags=dms-tcp-proxy \\\n --container-env=SOURCE_CONFIG=\u003cvar translate=\"no\"\u003eALLOYDB_IP\u003c/var\u003e:\u003cvar translate=\"no\"\u003eALLOYDB_PORT\u003c/var\u003e \\\n --can-ip-forward \\\n --network=\u003cvar translate=\"no\"\u003eSOURCE_AND_DEST_VPC\u003c/var\u003e \\\n --machine-type=\u003cvar translate=\"no\"\u003eVM_TIER\u003c/var\u003e \\\n --metadata=startup-script='#! /bin/bash\n mkdir -p /etc/docker\n cat \u003c\u003cEOF \u003e /etc/docker/daemon.json\n {\"bridge\":\"none\"}\n EOF\n systemctl restart docker'\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e: The region in which you want to create the TCP proxy.\n - \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: The name of the virtual machine.\n - \u003cvar translate=\"no\"\u003eALLOYDB_IP\u003c/var\u003e: The IP address of the AlloyDB for PostgreSQL instance.\n - \u003cvar translate=\"no\"\u003eALLOYDB_PORT\u003c/var\u003e: The port number of the AlloyDB for PostgreSQL instance.\n - \u003cvar translate=\"no\"\u003eSOURCE_AND_DEST_VPC\u003c/var\u003e: The VPC network to which the source and destination are connected.\n - \u003cvar translate=\"no\"\u003eVM_TIER\u003c/var\u003e: The type of your virtual machine.\n\n An example command with updated parameters: \n\n gcloud compute instances create-with-container \\\n --zone=us-central1-c ds-tcp-proxy \\\n --container-image gcr.io/dms-images/tcp-proxy \\\n --tags=ds-tcp-proxy \\\n --container-env=SOURCE_CONFIG=10.16.0.5:5432 \\\n --can-ip-forward \\\n --network=default \\\n --machine-type=e2-micro\n --metadata=startup-script='#! /bin/bash\n mkdir -p /etc/docker\n cat \u003c\u003cEOF \u003e /etc/docker/daemon.json\n {\"bridge\":\"none\"}\n EOF\n systemctl restart docker'\n\n | You may receive a prompt to authorize Cloud Shell. Click **AUTHORIZE**.\n2. Run the script to print the IP address of the TCP Proxy with the following inputs:\n\n gcloud compute instances describe \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e \\\n --format=\"yaml(networkInterfaces[].networkIP)\" \\\n --zone=\u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: The name of your virtual machine.\n - \u003cvar translate=\"no\"\u003eREGION_ID\u003c/var\u003e: The region in which you created the TCP proxy.\n\n | Use this IP address in the Datastream [connection profile](/datastream/docs/create-connection-profiles#cp4postgresdb) configuration.\n3. (Optional) Create a firewall rule to limit ingress traffic to the TCP proxy:\n\n gcloud compute firewall-rules create \u003cvar translate=\"no\"\u003eFIREWALL_RULE_NAME\u003c/var\u003e \\\n --direction=INGRESS \\\n --priority=1000 \\\n --target-tags=dms-tcp-proxy \\\n --network=\u003cvar translate=\"no\"\u003eSOURCE_VPC\u003c/var\u003e \\\n --action=ALLOW \\\n --rules=tcp:\u003cvar translate=\"no\"\u003eALLOYDB_PORT\u003c/var\u003e \\\n --source-ranges=\u003cvar translate=\"no\"\u003eIP_RANGE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eFIREWALL_RULE_NAME\u003c/var\u003e: The name of your firewall rule.\n - \u003cvar translate=\"no\"\u003eSOURCE_VPC\u003c/var\u003e: The VPC network to which your source is connected.\n - \u003cvar translate=\"no\"\u003eALLOYDB_PORT\u003c/var\u003e: The port number of the AlloyDB for PostgreSQL instance.\n - \u003cvar translate=\"no\"\u003eIP_RANGE\u003c/var\u003e: The IP address range to which you want to limit ingress traffic.\n\n An example command to allow ingress traffic from all IP addresses: \n\n gcloud compute firewall-rules create ds-proxy1 \\\n --direction=INGRESS \\\n --priority=1000 \\\n --target-tags=ds-tcp-proxy \\\n --network=default \\\n --action=ALLOW \\\n --rules=tcp:5432\n\nConfigure AlloyDB for replication\n---------------------------------\n\n1. Enable logical decoding for the AlloyDB primary instance. In Google Cloud, set\n the value for the `alloydb.logical_decoding` flag to **ON** . For information about\n updating the database flags, see [Configure an instance's database flags](/alloydb/docs/instance-configure-database-flags).\n\n | **Note:** Updating the `alloydb.logical_decoding` flag restarts the instance.\n2. Connect to the AlloyDB instance using the TCP proxy IP address by running the\n following command from any VM on the same VPC:\n\n psql -h \u003cvar translate=\"no\"\u003ePROXY_IP\u003c/var\u003e \\\n -U \u003cvar translate=\"no\"\u003eDB_USER\u003c/var\u003e \\\n -d \u003cvar translate=\"no\"\u003eDB_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROXY_IP\u003c/var\u003e: The IP address of the TCP proxy.\n - \u003cvar translate=\"no\"\u003eDB_USER\u003c/var\u003e: The username for the AlloyDB database.\n - \u003cvar translate=\"no\"\u003eDB_NAME\u003c/var\u003e: The AlloyDB database name.\n3. Run the following command to grant replication privileges to your database user:\n\n ```\n ALTER USER DB_USER WITH REPLICATION;\n ```\n4. Create a publication. We recommend that you create a publication only for the\n tables that you want to replicate. This allows Datastream to read-only\n the relevant data, and lowers the load on the database and Datastream:\n\n ```\n CREATE PUBLICATION PUBLICATION_NAME\n FOR TABLE SCHEMA1.TABLE1, SCHEMA2.TABLE2;\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePUBLICATION_NAME\u003c/var\u003e: The name of your publication. You'll need to provide this name when you create a stream in the Datastream stream creation wizard.\n - \u003cvar translate=\"no\"\u003eSCHEMA\u003c/var\u003e: The name of the schema that contains the table.\n - \u003cvar translate=\"no\"\u003eTABLE\u003c/var\u003e: The name of the table that you want to replicate.\n\n You can also create a publication for all tables in your database. Note that\n this approach increases the load on both the source database and Datastream: \n\n ```\n CREATE PUBLICATION PUBLICATION_NAME FOR ALL TABLES;\n ```\n | For PostgreSQL 15 and later, you can create a publication for all tables in a schema. This approach lets you replicate changes for tables in the specified list of schemas, including tables that you create in the future: \n |\n | ```\n | CREATE PUBLICATION PUBLICATION_NAME\n | FOR TABLES IN SCHEMA SCHEMA1, SCHEMA2;\n | ```\n5. Create a replication slot by executing the following command.\n\n ```\n SELECT PG_CREATE_LOGICAL_REPLICATION_SLOT('REPLICATION_SLOT_NAME', 'pgoutput');\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREPLICATION_SLOT_NAME\u003c/var\u003e: The name of your replication slot. You'll need to provide this name when you create a stream in the Datastream stream creation wizard.\n\nCreate a Datastream user\n------------------------\n\n1. To create a Datastream user, enter the following PostgreSQL command:\n\n ```\n CREATE USER USER_NAME WITH REPLICATION LOGIN PASSWORD 'USER_PASSWORD';\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eUSER_NAME\u003c/var\u003e: The name of the Datastream user that you want to create.\n - \u003cvar translate=\"no\"\u003eUSER_PASSWORD\u003c/var\u003e: The login password for the Datastream user that you want to create.\n2. Grant the following privileges to the user you created:\n\n ```\n GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_NAME TO USER_NAME;\n GRANT USAGE ON SCHEMA SCHEMA_NAME TO USER_NAME;\n ALTER DEFAULT PRIVILEGES IN SCHEMA SCHEMA_NAME GRANT SELECT ON TABLES TO USER_NAME;\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSCHEMA_NAME\u003c/var\u003e: The name of the schema to which you want to grant the privileges.\n - \u003cvar translate=\"no\"\u003eUSER_NAME\u003c/var\u003e: The user to whom you want to grant the privileges.\n\n | The first command might display warnings, however it is safe to ignore them.\n\nWhat's next\n-----------\n\n- Learn more about how Datastream works with [PostgreSQL sources](/datastream/docs/sources-postgresql)."]]
