Create a source connection profile
Stay organized with collections Save and categorize content based on your preferences.

MySQL | PostgreSQL | PostgreSQL to AlloyDB

You can create a connection profile on its own or in the context of creating a specific migration job. Either way, all connection profiles are available for review and modification on the Connection profiles page, and can be reused across migration jobs.

Creating a source connection profile on its own is useful if the person who has the source access information is not the same person who creates the migration job. You can also reuse a source connection profile definition in multiple migration jobs.

To create a source connection profile, follow these steps:

Console

Go to the Connection profiles page in the Google Cloud Console.
Click Create profile.
On the Create a connection profile page, from the Profile role list, select Source.
From the Database engine list, select your source database engine.
If you select Cloud SQL for MySQL from this list, then an Instance ID list appears. Select the ID of the Cloud SQL instance that you want to migrate.
In the Connection profile name field, enter a human-readable name for your connection profile. This value is displayed in the connection profile list.
Keep the auto-generated Connection profile ID.
Enter a Hostname or IP address.
- If the source database is hosted in Google Cloud, or if a reverse SSH tunnel is used to connect the destination database to the source database, then specify the private (internal) IP address for the source database. This address will be accessible by the Cloud SQL destination. For more information, see Configure connectivity using VPC peering.
  For other connectivity methods, such as IP allowlist, provide the public IP address.
- MySQL limits the hostname to 60 characters. Amazon RDS database hostnames are typically longer than 60 characters. If this is the case for the database you're migrating, then configure a DNS redirect to create a CNAME record that associates your domain name with the domain name of your RDS DB instance. You can read more about setting up DNS CNAME in Google Cloud or in AWS Route53.
Enter the Port that's used to access the host. The default MySQL port is 3306.
Enter a username and password for the destination database. The user account must have the required privileges to access your data. For more information, see Configure your source database.
In the Connection profile region section of the page, select the region where you want to save the connection profile.
Connection profiles, like all resources, are saved in a region. Region selection doesn't impact which migration jobs can use them, or which regions can connect to the data location itself, but can impact availability in the case of regional downtime.
Optional: If the connection is made over a public network (by using IP allowlists), then we recommend that you use SSL/TLS encryption for the connection between the source and destination databases.
In the Secure your connection section, from the Encryption type list, you can select one of the following SSL/TLS configuration options:
- None: The Cloud SQL destination instance connects to the source database without encryption. We recommend that you don't use this option if your database requires encrypted connections.
- Basic: The Cloud SQL destination instance connects to the source database with encryption but doesn't verify the certificate authority (CA).
  This option is the default for Microsoft Azure sources. Microsoft Azure sources require that all client connections use SSL/TLS encryption. At minimum, Microsoft Azure connection profiles must use basic encryption. If you don't want to use encryption to connect to the source, set require_secure_transport to off. For more information about the require_secure_transport setting, see Configure your source.
- TLS authentication: When the Cloud SQL destination instance connects to the source database, the instance authenticates the source, ensuring that the instance is connecting to the correct host securely. This prevents person-in-the-middle (PITM) attacks. For TLS authentication, the source doesn't authenticate the instance.
  To use TLS authentication, you must provide the x509 PEM-encoded certificate of the CA that signed the external server's certificate.
  For more information about creating certificates and keys for your external server, see Creating SSL and RSA Certificates and Keys using MySQL.
- mTLS authentication: When the destination instance connects to the source, the instance authenticates the source and the source authenticates the instance.
  mTLS authentication provides the strongest security. However, if you don't want to provide the client certificate and private key when you create the Cloud SQL destination instance, you can still use TLS authentication.
  To use mTLS authentication, you must provide the following items when you create the destination connection profile:
  - The certificate of the CA that signed the source database server's certificate (the CA certificate).
  - The certificate used by the instance to authenticate against the source database server (the client certificate).
  - The private key associated with the client certificate (the client key).
  For more information about creating certificates and keys for your source database server, see Creating SSL and RSA Certificates and Keys using MySQL.
  If you're having trouble uploading the key, then select the Enter manually option, and copy and paste the key into the text area.
Click Create.
The Connection profiles page appears, and the newly created connection profile is displayed.

gcloud

This sample uses the optional --no-async flag so that all operations are performed synchronously. This means that some commands might take a while to complete. You can skip the --no-async flag to run commands asynchronously. If you do, you need to use the gcloud database-migration operations describe command to verify if your operation is successful.

Before using any of the command data below, make the following replacements:

CONNECTION_PROFILE_ID with a machine-readable identifier for your connection profile.
REGION with the identifier of the region where you want to save the connection profile.
HOST_IP_ADDRESS with the IP address where Database Migration Service can reach your source database instance. This value can vary depending on which connectivity method you use for your migration.
PORT_NUMBER with the port number where your source database accepts incoming connections. The default MySQL port is 3306.
USERNAME with the name of the database user account you want Database Migration Service to connect as to your source database instance.
PASSWORD with the password for the database user account.
(Optional) CONNECTION_PROFILE_NAME with a human-readable name for your connection profile. This value is displayed in the Google Cloud console.

Execute the following command:

Linux, macOS, or Cloud Shell

gclouddatabase-migrationconnection-profiles\ createmysqlCONNECTION_PROFILE_ID\--no-async\--region=REGION\--host=HOST_IP_ADDRESS\--port=PORT_NUMBER\--username=USERNAME\--password=PASSWORD\--display-name=CONNECTION_PROFILE_NAME

Windows (PowerShell)

gclouddatabase-migrationconnection-profiles` createmysqlCONNECTION_PROFILE_ID`--no-async`--region=REGION`--host=HOST_IP_ADDRESS`--port=PORT_NUMBER`--username=USERNAME`--password=PASSWORD`--display-name=CONNECTION_PROFILE_NAME

Windows (cmd.exe)

gclouddatabase-migrationconnection-profiles^ createmysqlCONNECTION_PROFILE_ID^ --no-async^ --region=REGION^ --host=HOST_IP_ADDRESS^ --port=PORT_NUMBER^ --username=USERNAME^ --password=PASSWORD^ --display-name=CONNECTION_PROFILE_NAME

You should receive a response similar to the following:

 Waiting for connection profile [CONNECTION_PROFILE_ID] to be created with [OPERATION_ID] Waiting for operation [OPERATION_ID] to complete...done. Created connection profile CONNECTION_PROFILE_ID [OPERATION_ID]

Configure your source

Review a migration job

Create a source connection profile Stay organized with collections Save and categorize content based on your preferences.