Control connector enforcement

This page shows how to secure connections by enforcing applications to connect to AlloyDB for PostgreSQL instances only through connectors. It also provides steps to remove this enforcement on an instance.

By default, an AlloyDB instance accepts connections on two TCP ports:

  • Port 5432, the default PostgreSQL port that applications use to connect directly to the instance.

  • Port 5433, which connectors, including AlloyDB Auth Proxy use to connect to the instance.

In other words, applications connect to a chosen connector on the host and port they run on, and then that connector communicates with your AlloyDB instance on that instance's port 5433.

This page covers how to enforce the use of connectors on an existing instance. For information about how to secure connections when you create an instance, see Create the primary instance.

Enforce connectors on an instance

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Console

  1. Go to the Clusters page.

    Go to Clusters

  2. Click a cluster in the Resource name column.
  3. In the Overview page, go to the Instances in your cluster section, and click Edit primary.
  4. In the Edit primary instance pane, expand Advanced configuration options.
  5. Select Require connectors.
  6. Click Update instance.

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Use the gcloud alloydb instances update command with the --require-connectors flag to enforce a secure connection in an AlloyDB instance.

gcloud alloydb instances update INSTANCE_ID \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --require-connectors

Replace the following:

  • INSTANCE_ID: The ID of the instance that you are updating.
  • REGION_ID: The region where the instance is placed.
  • CLUSTER_ID: The ID of the cluster where the instance is placed.
  • PROJECT_ID: The ID of the project where the cluster is placed.

If the command returns an error message that includes the phrase invalid cluster state MAINTENANCE, then the cluster is undergoing routine maintenance. This temporarily disallows instance reconfiguration. Run the command again after the cluster returns to a READY state. To check the cluster's status, see View cluster details.

Disable connector enforcement on an instance

Console

  1. Go to the Clusters page.

    Go to Clusters

  2. Click a cluster in the Resource name column.
  3. In the Overview page, go to the Instances in your cluster section, and click Edit primary.
  4. In the Edit primary instance pane, expand Advanced configuration options.
  5. Clear Require connectors.
  6. Click Update instance.

gcloud

Use the gcloud alloydb instances update command with the --no-require-connectors flag to disable connectors on an AlloyDB instance.

gcloud alloydb instances update INSTANCE_ID \
    --region=REGION_ID \
    --cluster=CLUSTER_ID \
    --project=PROJECT_ID \
    --no-require-connectors

Replace the following:

  • INSTANCE_ID: The ID of the instance that you are updating.
  • REGION_ID: The region where the instance is placed.
  • CLUSTER_ID: The ID of the cluster where the instance is placed.
  • PROJECT_ID: The ID of the project where the cluster is placed.

What's next