Open in app

Sign in

Write

Sign in

Google AlloyDB is getting Public IP

Gleb Otochkin
Google Cloud - Community
Published in
6 min readFeb 6, 2024

Today, I’d like to discuss a new feature in AlloyDB: allowing connections to database instances using public IP addresses. This capability has been a long-standing request from our developer community. From the inception, we didn’t allow public IP connections to AlloyDB instances for security reasons. Exposing AlloyDB to the open internet increases the risk of security threats. And in general it is a recommended practice for production databases in enterprise environments to only be accessible from secure networks using private IPs. However, we’ve heard from many users that the inability to use public IP addresses for AlloyDB has made it difficult to evaluate some new features, run benchmarks and tests. Using a bastion host or a gateway proxy to connect to AlloyDB can add complexity and frictions, especially when you try to use your preferable IDE for databases. In response to this feedback, Google has started previewing inbound public IP connections for AlloyDB. This means that you can now connect to your AlloyDB instances directly from your laptop using AlloyDB public IP address, without having to go through a gateway.

Enable the Public IP

Let’s have a look at how we can enable the public IP for our AlloyDB instances. As of February 2024 you need to use gcloud beta commands to enable the public IP on AlloyDB. And currently it supports only IPv4 IP addresses. So, the first step is to make sure you have the latest SDK. You can check the version of your gcloud using a simple command:

gcloud components list --filter="gcloud Beta Commands" --show-versions

I strongly recommend using the latest available version. It is updating all the time and you can miss some new options if you use an old version. All examples here were done using the version 462.0.1 (from 2024.01.31).

You can enable public IP for any existing primary instance or a read pool by executing gcloud beta alloydb instance update command. Keep in mind that as of now you are not able to create a new instance or read pool with the public IP enabled. So, it means you have to create it first and then enable it. The command is simple enough and here is how you enable the public IP only (I am using AlloyDB read pool alloydb-aip-01-rp in the us-central1 region):

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
gcloud beta alloydb instances update $ADBCLUSTER-rp   \
    --cluster=$ADBCLUSTER   \
    --region=$REGION   \
    --assign-inbound-public-ip=ASSIGN_IPV4

You’ve probably noticed “only in my sentence and might ask why. The reason is that enabling the public IP doesn’t automatically allow connection to the instance using a direct IP address. You will need to use an AlloyDB connector or add your network to the list of authorized networks in the instance. You can read more about the AlloyDB connectors in the blog written by my colleagues Luke and Eno.

If you plan to use a direct IP connection then it makes sense to add the authorized networks at the same time when you enable the public IP. Here is an example where I add the public IP and three authorized networks to my read pool.

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
gcloud beta alloydb instances update $ADBCLUSTER-rp   \
    --cluster=$ADBCLUSTER   \
    --region=$REGION   \
    --assign-inbound-public-ip=ASSIGN_IPV4   \
    --authorized-external-networks=34.237.241.78/32,106.168.127.129/32

How can we see the assigned public IP and authorized networks? As for now the web console doesn’t show it yet but it can be retrieved using the gcloud command:

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
gcloud beta alloydb instances describe $ADBCLUSTER-rp \
    --cluster=$ADBCLUSTER \
    --region=$REGION \
    --format="value(publicIpAddress)"

And you can list the authorized networks using the following command:

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
gcloud beta alloydb instances describe $ADBCLUSTER-rp \
    --cluster=$ADBCLUSTER \
    --region=$REGION \
    --format="(networkConfig.authorizedExternalNetworks)"

Connect Using Public IP

Now let’s check how we can connect to the instance or a read pool. We are going to start from connectors. Connectors provides several benefits — You don’t need to know the public IP itself and you don’t need to know your own IP to put it to the authorized networks. It might help when you automate stuff.

To run the AlloyDB Auth proxy you need to be authenticated in the Google cloud as a principal with sufficient privileges for connection to AlloyDB. Your SDK (gcloud) configuration should use either account or saved credentials for a service account with the roles/alloydb.client (Cloud AlloyDB Client) and roles/serviceusage.serviceUsageConsumer (Service Usage Consumer). You can read more about it in the documentation. The easiest way is to run gcloud auth login using account wit sufficient permissions.

Then you need to download the utility according to your platform. For example I have the latest AlloyDB Auth proxy on my mac M1 laptop. You can get the latest version from here.

macbookpro:~ gleb$ alloydb-auth-proxy --version
alloydb-auth-proxy version 1.7.0+darwin.arm64

To connect using public IP I need to know the AlloyDB cluster URI and it can be retrieved using the same gcloud utility:

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
gcloud beta alloydb instances describe $ADBCLUSTER-rp \
    --cluster=$ADBCLUSTER \
    --region=$REGION \
    --format="value(name)"

And to start the proxy you supply the given value for the full instance URI as the first argument and adding parameter — public-ip. Here I’ve combined two commands together:

REGION=us-central1
ADBCLUSTER=alloydb-aip-01
alloydb-auth-proxy $(gcloud beta alloydb instances describe $ADBCLUSTER-rp --cluster=$ADBCLUSTER --region=$REGION --format="value(name)") --public-ip

The AlloyDB Auth proxy by default opens port 5432 on the local machine to accept the connections. In your utility you specify the host as 127.0.0.1 leaving default port 5432. Here is how it looks with psql from another terminal session on my laptop:

macbookpro:~ gleb$ psql "host=localhost user=postgres"
Password for user postgres:
psql (15.2, server 14.9)
Type "help" for help.

postgres=> \l+
                                                                                               List of databases
      Name       |      Owner       | Encoding | Collate |  Ctype  | ICU Locale | Locale Provider |           Access privileges           |   Size    | Tablespace |                Description
-----------------+------------------+----------+---------+---------+------------+-----------------+---------------------------------------+-----------+------------+--------------------------------------------
 alloydbadmin    | alloydbadmin     | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            |                                       | 14 MB     | pg_default |
 alloydbmetadata | alloydbadmin     | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | alloydbadmin=CTc/alloydbadmin        +| No Access | pg_default |

That worked great but if you decide to skip the AlloyDB proxy or connectors and connect directly using the IP with authorized networks then you just need the real public IP in your connection string and make sure your tool is using SSL by default. Here is my connection using psql:

macbookpro:~ gleb$ psql "host=34.29.79.191 user=gleb dbname=quickstart_db sslmode=require"
psql (15.2, server 14.9)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

quickstart_db=>

Let’s have a couple of words about security.

Security

You’ve probably noticed I added the sslmode=require option to my connection string explicitly requiring the SSL mode for the connection. By default all AlloyDB instances are created with sslMode: ENCRYPTED_ONLY. This is recommended and a good practice to keep the connection protected especially when you connect through a public network. Keep this option on.

The second thing I would note is that the public IP connection in general should be probably used only for test, demo and other similar tasks on databases without any real customer data. No real data should be exposed to the internet. In other words the public IP is supposed to be enabled for clusters with only synthetic, benchmarking and demo datasets. And even for that data I recommend to use protected SSL connection.

Outbound Connections

Currently public IP supports only inbound IPv4 connections. So, you will not be able to connect to some remote databases for example through FDW using that public IP and still need to use other network solutions.

Stay Tuned

The public IP features, options and tools are in active development and this information is valid for early February 2024. All the new features and changes will be published in the documentation. Stay tuned and keep updated all your tools to be able to use all the new features implemented in AlloyDB. Happy testing.

Google
Alloydb
Postgresql

--

--

Gleb Otochkin
Google Cloud - Community

Written by Gleb Otochkin

11 Followers
Writer for

Google Cloud Advocate, Databases - I run a lot and have a lot of fun doing my job

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams