You can create a connection profile on its own or in the context of creating aspecific migration job. Either way, all connection profiles are available forreview and modification on the Connection profiles page, and can be reusedacross migration jobs.

Creating a source connection profile on its own is useful if theperson who has the source access information is not the same person who createsthe migration job. You can also reuse a source connection profiledefinition in multiple migration jobs. If you use the same profile for multiple migrations, you need to update themax_replication_slots parameterin the source database to account for the number of replicas you're creating.

To create a source connection profile, follow these steps:

1. Go to theConnection profiles page in the Google Cloud Console.
2. ClickCreate profile.
3. On theCreate a connection profile page, provide the following information required to connect to your source:
   1. From theProfile role list, selectSource.

   2. From theDatabase engine list, select your source database engine.

      If you selectCloud SQL for PostgreSQL from this list, then aCloud SQL instance list appears. Select the Cloud SQL instance that you want to migrate.
   3. Enter aConnection profile name. This is used in the connection profile list as well as when an existing connection profile is selected in the creation of a migration job.
   4. Keep the auto-generatedConnection profile ID.

   5. Enter aHostname orIP address.

      If the source database is hosted in Google Cloud or if a reverse SSH tunnel is used to connect the destination database to the source database, then specify the private (internal) IP address for the source database. This address will be accessible by the Cloud SQL destination. For more information, seeConfigure connectivity using VPC peering.

      For other connectivity methods, such asIP allowlist, provide the public IP address.

   6. Enter thePort that's used to access the host. The default PostgreSQL port is 5432.
4. Enter a username and password for the source database. The user must havethese privileges.

5. In theConnection profile region section of the page, select the region where you want to save the connection profile.

   Connection profiles, like all resources, are saved in a region. Region selection doesn't impact which migration jobs can use them, or which regions can connect to the data location itself, but can impact availability in the case of regional downtime.

6. Optional: If the connection is made over a public network (by using IP allowlists), then we recommend that you useSSL/TLS encryption for the connection between the source and destination databases.

   In theSecure your connection section, from theEncryption type list, you can select one of the following SSL/TLS configuration options:

   • None: The Cloud SQL destination instance connects to the source database without encryption. We recommend that you don't use this option if your database requires encrypted connections.
   • Basic: The Cloud SQL destination instance connects to the source database with encryption but doesn't verify the certificate authority (CA).This option is the default for Microsoft Azure sources. Microsoft Azure sourcesrequire that all client connections use SSL/TLS encryption. At minimum, Microsoft Azure connection profiles must use basic encryption. If you don't want to use encryption to connect to the source, setrequire_secure_transport tooff. For more information about therequire_secure_transport setting, seeConfigure your source.

   • TLS authentication: When the Cloud SQL destination instance connects to the source database, the instance authenticates the source, ensuring that the instance is connecting to the correct host securely. This prevents person-in-the-middle (PITM) attacks. For TLS authentication, the source doesn't authenticate the instance.

     To use TLS authentication, you must provide the x509 PEM-encoded certificate of the CA that signed the external server's certificate.

     For more information about creating certificates and keys for your external server, see Creating SSL and RSA Certificates and Keys using MySQL.
   • mTLS authentication: When the destination instance connects to the source, the instance authenticates the source and the source authenticates the instance.

     mTLS authentication provides the strongest security. However, if you don't want to provide the client certificate and private key when you create the Cloud SQL destination instance, you can still use TLS authentication.

     To use mTLS authentication, you must provide the following items when you create the destination connection profile:

     • The certificate of the CA that signed the source database server's certificate (the CA certificate).
     • The certificate used by the instance to authenticate against the source database server (the client certificate).
     • The private key associated with the client certificate (the client key).

For more information about creating certificates and keys for your source database server, seeSecure TCP/IP Connections with SSL.

If you're having trouble uploading the key, then select theEnter manually option, and copy and paste the key into the text area.

7. ClickCreate at the bottom of the page.

   TheConnection profiles page appears, and the newly created connection profile is displayed.