Configure connectivity using reverse SSH tunnel

MySQL  |  PostgreSQL  |  PostgreSQL to AlloyDB


Overview

You can establish connectivity from the destination database to the source databasethrough a secure reverse SSH tunnel. This method requires a bastion host VM inthe Google Cloud project as well as a machine (for example, a laptop on thenetwork) that has connectivity to the source database.Important: If your source is within a VPN (in AWS, for example, or your ownon-premises VPN), your source connection profile shoulduse the VPN IP address and port instead of the source IP address and port.

The Database Migration Service for PostgreSQL collects the required information at migration creationtime, and auto-generates the script for setting it all up.

See the following diagram:Reverse SSH tunnel diagram

Set up a reverse SSH tunnel

The following steps are performed in the Database Migration Service flow forcreating a migration job, to set up a reverse SSH tunnel between the source database and Cloud SQL instance. After you provide some parameters, you execute a set ofgcloudcommands on a machine which has connectivity to both the source database and to Google Cloud.

  1. Select the VM instance used to establish connectivity betweenthe source database and the Cloud SQL instance. Typically this is a VMrunning in the VPC where the application accessing the new Cloud SQLdatabase runs. The VM instance serves as the SSH tunnel bastion server.

  2. You can use an existing Compute Engine VM instance for this purpose.

    1. Choose the Compute Engine VM instance from the list.

    2. Provide a free port that the SSH tunnel can use.

    Note: For the reverse SSH tunnel to work, set the `GatewayPorts`parameter to `yes` in the/etc/ssh/sshd_config file on the targetserver. After you update the file, restart the sshd service using thesudo systemctl restart sshd.service command.

    If you don't want to change the configuration of your existing VM, then create a new VM.

  3. Alternatively, you can create a new VM at this step. SelectCREATE A COMPUTE ENGINE VM INSTANCE and the generated scriptincludes instructions to create it.

    1. Provide a name for the VM instance.

    2. Select a machine type for the VM.

    3. Specify a subnet for the VM

    Note: A Compute Engine VM instance created by thescript isn't managed by Database Migration Service. If one is created,then your organization is charged for the instance based on standardpricing, and is responsible for its management, includingdeleting the instance when it's no longer needed.

  4. ClickVIEW SCRIPT to view the generated script.

    By default, the script will generate a public IP address for the Compute Engine VM server. If you want the IP address to be private, then do the following:

    Also, if you want to create a bastion host VM on a subnet which is on a shared VPC, then alter theexport SUBNET_NAME command from the generated script to point to/projects/project_name/regions/region_name/subnetworks/subnetwork_name.

    For example:

    export SUBNET_NAME=projects/myproject/regions/myregion/subnetworks/mysubnetwork

    project_name is the name of the project where the shared VPC is placed. A project has regions and subnetworks.region_name andsubnetwork_name are the names of the region and subnetwork that are associated with the VPC project.

    Make sure the replication connections section of thepg_hba.conffile or the AWS RDS security groups definitions on the source database are updated to accept connections from theCloud SQL VPC's IP address range.

  5. Run the script on a machine that has access to both the source database and theCompute Engine VM. The script performs the following operations:

    • Configures the Compute Engine VM as an SSH tunnel bastion server.

    • Establishes a secure SSH connection between the source database and theVPC.

    • If you're creating a new Compute Engine VM, then after successfullyrunning the script, copy the VM server IP from the script output and enterit in the provided text field. The Cloud SQL instance will be updatedas needed when you later test or start the migration job.

  6. ClickCONFIGURE & CONTINUE.

  7. Verify your migration job to confirm that it correctly migrated data from your source database instance to the destination Cloud SQL database instance.

  8. If your source is within a VPN (in AWS, for example, or your ownon-premises VPN), proceed to the section onconnecting VPCs through VPNs for more information on configuring thesource VPN and Google Cloud VPN to work with each other.

  9. After your migration job is configured, connectivity is verified,and VPNs are configured successfully if necessary, then you can run the job.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-09 UTC.