To create a migration in Database Migration Service, connectivity must be
established between the source instance and the AlloyDB
destination instance. There are various methods supported. Choose the one that
works best for the specific workload.
Networking method
Description
Advantages
Disadvantages
IP allowlist
This method works by configuring the source database server to accept connections
from the outgoing IP of the Cloud SQL instance.
If you choose this method, then Database Migration Service guides you
through the setup process during the migration creation.
Easy to configure.
Doesn't require any custom firewall configuration.
Network traffic occurs over the public Internet.
Less secure.
Decreased performance.
Proxy via cloud-hosted VM - Reverse-SSH tunnel
Establishes connectivity from the destination to the source through a
secure reverse SSH tunnel.
Requires a bastion host VM in the Google Cloud Platform project as well as a machine
(for example, a laptop on the network) that has connectivity to the
source.
Database Migration Service collects the required information at
migration creation time, and auto-generates the script for setting it
all up.
Easy to configure.
Doesn't require any custom firewall configuration.
Recommended for short-lived migration scenarios (POC or small
database migrations).
The bastion VM is owned and managed by you, and may incur additional
costs.
Proxy via cloud-hosted VM - TCP
Establishes connectivity from the destination to the source using a TCP proxy through a cloud hosted VM.
Database Migration Service collects the required information at
migration creation time, and auto-generates the script for setting it
all up.
Relevant on AlloyDB migrations where the source is on the old network architecture.
Easy to configure.
Doesn't require any custom firewall configuration.
The bastion VM is owned and managed by you, and may incur additional
costs.
VPC peering
This method works by configuring the VPCs to communicate with one another.
Native Google Cloud solution.
Easy to configure.
High bandwidth.
Recommended for long-running or high-volume migrations.
Applicable if both the source and destination databases are hosted in
Google Cloud, or if the source is connected to the destination VPC
using a VPN (cloud-hosted or on-premises) or Cloud Interconnect.
Private Service Connect interfaces
Private Service Connect interfaces let your destination
database initiate connections to the private IP of your source
database without consuming peering quota. Instead, this connectivity method
utilizes network attachments you create in your VPC.
Establishes connections to your source private IP by using a network attachment.
This method doesn't consume peering quota in your VPC.
The easiest source private connectivity method to configure.
Requires setting up a network attachment and adjusting firewall rules.
You can't modify the network attachment after you establish the
connection.
For more information about private services access and
Private Service Connect in
AlloyDB for PostgreSQL,
see Private IP overview
in the AlloyDB for PostgreSQL documentation.
Connectivity limitations
The PostgreSQL to AlloyDB connectivity has the following limitations:
AlloyDB supports private connectivity using private services access. Assigning a public IP address to a cluster is not supported.
You can't change the VPC with which the AlloyDB cluster is peered after the cluster is created.
Because AlloyDB uses private services access which internally uses VPC peering, transitive peering isn't supported. Your AlloyDB cluster can only reach internal IP addresses in the same VPC with which it is peered. In order to reach other VPCs, you must use an intermediary proxy. For more details, see the following section.
Common connectivity scenarios and solutions
Migrate from a Cloud SQL instance in the old producer network architecture
Figure 1. A private connection facilitated by the TCP proxy VM
(click to enlarge)
To migrate from a Cloud SQL for PostgreSQL instance in the old producer
network architecture, you must establish connectivity using an intermediary
proxy. This is because it isn't possible to have direct connectivity between
the source Cloud SQL instance and the AlloyDB destination.
You can set up your own proxy solution, although we recommend setting up
the TCP proxy VM with the auto-generated script provided by Database Migration Service.
See TCP proxy connectivity method.
Migrate from a source in the same Google Cloud project but in a different VPC
Because the VPC in which the AlloyDB cluster resides can't be changed after the cluster is created, you have the following options:
The recommended option is to change the VPC of the source instance to match the VPC of the destination instance. For example, if you want to migrate a Cloud SQL instance to AlloyDB, update the Cloud SQL VPC to match the AlloyDB VPC.
To add another network interface, append --network-interface network=SOURCE_NETWORK_NAME to the gcloud compute instances create-with-container command that appears in the script.
Migrate from a source in a different Google Cloud project
To migrate from a source in a different Google Cloud project, you must either migrate over the internet, or, for internal Google Cloud connectivity, use a shared VPC. Select one of the following options:
Use a shared VPC without a proxy. If you want your AlloyDB cluster to reside in a shared VPC, then simply select the VPC where your source resides when creating the cluster. This way, source and destination have direct connectivity.
Use a shared VPC with a proxy. If you don't want your AlloyDB cluster to reside in a shared VPC, then you must use an intermediary proxy. You can set up your own proxy solution, but we recommend using the TCP proxy connectivity method. Follow these guidelines to create a TCP proxy with an additional network interface on a shared VPC.
Migrate without allowing the destination to reach the network of the source
This method is recommended when migrating from an on-premise network, where there's a concern of opening the network's firewall to incoming Google Cloud traffic. For this scenario, you can set up a reverse proxy using a Compute Engine instance as an intermediary proxy. We recommend using the reverse SSH connectivity method.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eDatabase Migration Service requires establishing connectivity between the source instance and the AlloyDB destination instance for migrations, with several methods available.\u003c/p\u003e\n"],["\u003cp\u003eThe IP allowlist method is suitable for short-lived migrations, offering ease of configuration but transmitting network traffic over the public internet, which affects security and performance.\u003c/p\u003e\n"],["\u003cp\u003eProxy methods via cloud-hosted VMs, using either Reverse-SSH tunnels or TCP proxies, are recommended for short-lived migrations and offer ease of configuration without custom firewall adjustments.\u003c/p\u003e\n"],["\u003cp\u003eVPC peering is a native Google Cloud solution that provides high bandwidth and is ideal for long-running or high-volume migrations, but it is only available if both source and destination are hosted in Google Cloud or are connected to the same VPC.\u003c/p\u003e\n"],["\u003cp\u003eFor sources in different networks or on-premise instances, using a proxy or migrating over the public internet are viable options, and there are guides to aid with this process.\u003c/p\u003e\n"]]],[],null,["# Networking methods\n\n\u003cbr /\u003e\n\n[MySQL](/database-migration/docs/mysql/networking-methods \"View this page for the MySQL version of Database Migration Service.\") \\| [PostgreSQL](/database-migration/docs/postgres/networking-methods \"View this page for the PostgreSQL version of Database Migration Service.\") \\| PostgreSQL to AlloyDB\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nOverview\n--------\n\nTo create a migration in Database Migration Service, connectivity must be established between the source instance and the AlloyDB destination instance. There are various methods supported. Choose the one that works best for the specific workload. \n\nConnectivity limitations\n------------------------\n\nThe PostgreSQL to AlloyDB connectivity has the following limitations:\n\n- AlloyDB supports private connectivity using [private services access](/alloydb/docs/configure-connectivity). Assigning a public IP address to a cluster is not supported.\n- You can't change the VPC with which the AlloyDB cluster is peered after the cluster is created.\n- Because AlloyDB uses private services access which internally uses VPC peering, [transitive peering](/vpc/docs/vpc-peering#specifications) isn't supported. Your AlloyDB cluster can only reach internal IP addresses in the same VPC with which it is peered. In order to reach other VPCs, you must use an intermediary proxy. For more details, see the following section.\n\nCommon connectivity scenarios and solutions\n-------------------------------------------\n\n### Migrate from a Cloud SQL instance in the old producer network architecture\n\n[](#lightbox-trigger) **Figure 1.** A private connection facilitated by the TCP proxy VM (click to enlarge)\n\nTo migrate from a Cloud SQL for PostgreSQL instance in the old producer\nnetwork architecture, you must establish connectivity using an intermediary\nproxy. This is because it isn't possible to have direct connectivity between\nthe source Cloud SQL instance and the AlloyDB destination.\nYou can set up your own proxy solution, although we recommend setting up\nthe TCP proxy VM with the auto-generated script provided by Database Migration Service.\nSee [TCP proxy connectivity method](/database-migration/docs/postgresql-to-alloydb/configure-connectivity-tcp-proxy-via-cloud-hosted-vm).\n\n### Migrate from a source in the same Google Cloud project but in a different VPC\n\nBecause the VPC in which the AlloyDB cluster resides can't be changed after the cluster is created, you have the following options:\n\n- The recommended option is to change the VPC of the source instance to match the VPC of the destination instance. For example, if you want to migrate a Cloud SQL instance to AlloyDB, [update the Cloud SQL VPC](/sql/docs/postgres/configure-private-ip#existing-private-instance) to match the AlloyDB VPC.\n\n | **Caution:** Configuring a private IP address for an existing Cloud SQL instance causes the instance to restart, resulting in downtime.\n- If it's not possible to change the VPC of the source instance to match the VPC of the destination instance, then use an intermediary virtual machine (VM) as a proxy. You can set up your own proxy solution, although we recommend using the [TCP proxy connectivity method](/database-migration/docs/postgresql-to-alloydb/configure-connectivity-tcp-proxy-via-cloud-hosted-vm). After Database Migration Service generates your script in the Google Cloud console, add another network interface to the command for creating a TCP proxy instance, and configure it to match the VPC of the source instance. This way, the proxy has connectivity to both the source and destination VPCs.\n\n To add another network interface, append `--network-interface network=SOURCE_NETWORK_NAME` to the `gcloud compute instances create-with-container` command that appears in the script.\n | **Note:** For custom mode VPC networks, you have to explicitly specify the subnet. The argument you need to append is `--network-interface network=SOURCE_NETWORK_NAME,subnet=`\u003cvar translate=\"no\"\u003eSOURCE_SUBNET_NAME\u003c/var\u003e.\n\n An example command to create the proxy: \n\n ```bash\n gcloud compute instances create-with-container … \\\n --network-interface subnet=DESTINATION-SUBNET-NAME \\\n --network-interface network=SOURCE-NETWORK-NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eDESTINATION-SUBNET-NAME\u003c/var\u003e: The name of the destination subnet.\n - \u003cvar translate=\"no\"\u003eSOURCE-NETWORK-NAME\u003c/var\u003e: The name of the source network.\n\nFor more information, see [Create VM instances with multiple network interfaces](/vpc/docs/create-use-multiple-interfaces#creating_virtual_machine_instances_with_multiple_network_interfaces).\n\n### Migrate over the public internet\n\nThis method is recommended when migrating from an on-premise instance or from\nother cloud providers, where there's no existing VPN or Interconnect connection\nto Google Cloud. To use this method, you need to\n[configure your destination AlloyDB cluster to use an outbound public IP address](/alloydb/docs/connect-public-ip#add-outbound-connectivity).\n\n### Migrate from a source in a different Google Cloud project\n\nTo migrate from a source in a different Google Cloud project, you must either migrate over the internet, or, for internal Google Cloud connectivity, use a shared VPC. Select one of the following options:\n\n- Use a shared VPC without a proxy. If you want your AlloyDB cluster to reside in a shared VPC, then simply select the VPC where your source resides when creating the cluster. This way, source and destination have direct connectivity.\n\n- Use a shared VPC with a proxy. If you don't want your AlloyDB cluster to reside in a shared VPC, then you must use an intermediary proxy. You can set up your own proxy solution, but we recommend using the [TCP proxy connectivity method](/database-migration/docs/postgresql-to-alloydb/configure-connectivity-tcp-proxy-via-cloud-hosted-vm). Follow [these guidelines](#intermediaryproxy) to create a TCP proxy with an additional network interface on a shared VPC.\n\n### Migrate without allowing the destination to reach the network of the source\n\nThis method is recommended when migrating from an on-premise network, where there's a concern of opening the network's firewall to incoming Google Cloud traffic. For this scenario, you can set up a reverse proxy using a Compute Engine instance as an intermediary proxy. We recommend using the [reverse SSH connectivity method](/database-migration/docs/postgresql-to-alloydb/configure-connectivity-reverse-ssh-tunnel)."]]
