Enforce SSL/TLS Encryption for AlloyDB Instance Database Connections

Risk Level: High (not acceptable risk)

Rule ID: AlloyDB-001

Ensure that your Google Cloud Platform (GCP) AlloyDB instances are configured with SSL enforcement mode set to ENCRYPTED_ONLY to ensure that all database connections use SSL/TLS encryption. By default, AlloyDB instances are configured to accept only SSL-encrypted connections, providing secure, authenticated, and encrypted communications between database clients and the database server. However, instances can be configured to allow unencrypted connections through the ALLOW_UNENCRYPTED_AND_ENCRYPTED mode, which introduces significant security risks by permitting plaintext database traffic.

Security

By enforcing SSL/TLS encryption for AlloyDB database connections, organizations protect sensitive data in transit from interception and unauthorized access, ensuring compliance with data protection regulations and security best practices. Without SSL enforcement, database connections transmit data in plaintext across the network, exposing sensitive information including authentication credentials, query contents, application data, and query results to anyone with network access. This creates severe security vulnerabilities including credential theft (usernames and passwords transmitted in clear text), data breaches (confidential business data visible to network attackers), compliance violations (failure to meet encryption requirements of PCI DSS, HIPAA, SOC 2, and GDPR), and man-in-the-middle attacks (attackers can intercept and modify database traffic). AlloyDB instances configured with ALLOW_UNENCRYPTED_AND_ENCRYPTED mode permit clients to connect without SSL, creating a pathway for insecure connections even if secure connections are available. Enforcing ENCRYPTED_ONLY mode ensures that all database clients must use SSL/TLS, preventing configuration errors, legacy application vulnerabilities, and malicious actors from establishing unencrypted connections.

Important: Enforcing ENCRYPTED_ONLY mode requires that all database clients are configured to connect using SSL/TLS. Applications and tools that do not support SSL connections or are not properly configured with SSL certificates will be unable to connect to the database. Before enabling SSL enforcement on production instances, verify that all client applications, database tools, monitoring systems, and backup solutions are configured to use SSL connections.

Audit

To determine if your AlloyDB instances are configured to enforce SSL/TLS encryption for database connections, perform the following operations:

Using GCP Console

Sign in to Google Cloud Management Console.
Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
Navigate to AlloyDB console available at https://console.cloud.google.com/alloydb/clusters (or search for "AlloyDB" in the search bar, or navigate via the hamburger menu under Databases > AlloyDB for PostgreSQL).
On the Clusters page, select the AlloyDB cluster you want to examine.
In the instance details page, locate the Connectivity section from the side panel menu.
Review the Security section to verify that Network Security is set to Require SSL Encryption enabled and that SSL Connection Required is set to Yes.
If the Network Security is set to Allow Unencrypted Connections and the SSL Connection Required is set to No, the configuration is not compliant.
Repeat steps no. 4 – 7 for each AlloyDB cluster and instance in the selected project.
Repeat steps no. 2 – 8 for each project available within your Google Cloud account.

Using GCP CLI

Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account:
```
gcloud projects list
	--format="table(projectId)"
```
The command output should return the requested GCP project identifiers:
```
PROJECT_ID
cc-alloydb-project-112233
cc-production-project-445566
```
Run alloydb clusters list command (Windows/macOS/Linux) to list all AlloyDB clusters in the selected project:
```
gcloud alloydb clusters list
	--project cc-alloydb-project-112233
	--format="table(name,state)"
```

The command output should return the cluster names:

NAME                    STATE
cc-production-cluster   READY
cc-analytics-cluster    READY

Run alloydb instances list command (Windows/macOS/Linux) to list all instances in each cluster:

gcloud alloydb instances list
	--cluster=cc-production-cluster
	--region=us-central1
	--project cc-alloydb-project-112233
	--format="table(name,instanceType,state)"

The command output should return the instance details:

NAME                        INSTANCE_TYPE   STATE
cc-production-cluster-pr    PRIMARY         READY
cc-production-cluster-r1    READ_POOL       READY

Run alloydb instances describe command (Windows/macOS/Linux) to get the SSL configuration for each instance:

gcloud alloydb instances describe cc-production-cluster-pr
	--cluster=cc-production-cluster
	--region=us-central1
	--project cc-alloydb-project-112233
	--format="json(clientConnectionConfig.sslConfig.sslMode)"

The command output should return the SSL mode configuration:

{
	"clientConnectionConfig": {
		"sslConfig": {
			"sslMode": "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
		}
	}
}

Review the sslMode value in the command output. If the sslMode is set to ALLOW_UNENCRYPTED_AND_ENCRYPTED, the instance allows unencrypted connections and does not enforce SSL encryption, therefore the configuration is not compliant.
If the sslMode is set to ENCRYPTED_ONLY or if the output shows:
```
{
	"clientConnectionConfig": {
		"sslConfig": {
		"sslMode": "ENCRYPTED_ONLY"
		}
	}
}
```
The instance properly enforces SSL encryption for all database connections and the configuration is compliant.
Repeat steps no. 7 – 10 for each AlloyDB instance in the cluster, including both PRIMARY and READ_POOL instances.
Repeat steps no. 5 – 11 for each AlloyDB cluster in the selected project.
Repeat steps no. 3 – 12 for each project available within your Google Cloud account.

Remediation / Resolution

To enforce SSL/TLS encryption for your AlloyDB instance database connections, you must configure the SSL mode to ENCRYPTED_ONLY to prevent unencrypted connections. Perform the following operations:

Using GCP Console

Step 1: Enable SSL Enforcement via Console

Sign in to Google Cloud Management Console.
Select the Google Cloud Platform (GCP) project that contains the AlloyDB instance from the console top navigation bar.
Navigate to AlloyDB console available at https://console.cloud.google.com/alloydb/clusters (or search for "AlloyDB" in the search bar, or navigate via the hamburger menu under Databases > AlloyDB for PostgreSQL).
On the Clusters page, locate and click on the cluster containing the instance you want to configure.
In the Overview tab, locate the instance you want to configure, click on the three-dot menu (⋮) next to the instance name, and select Edit.
In the instance configuration editor, locate the Network Security section.
Enable the option Require SSL Encryption by clicking on the radio button.
Review the configuration changes to ensure only the SSL setting is being modified.
Click Update instance to apply the SSL enforcement configuration.
Step 2: Verify SSL Enforcement

In the instance details page, locate the Connectivity section from the side panel menu.
Review the Security section to verify that Network Security is set to Require SSL Encryption and that SSL Connection Required is set to Yes.
Repeat steps no. 1 – 11 for each AlloyDB instance (including read pool instances if applicable) in the cluster.
Repeat steps no. 1 – 12 for each AlloyDB cluster in the selected project.
Repeat steps no. 1 – 13 for each project available within your Google Cloud account.

Using GCP CLI

Step 1: Enable SSL Enforcement via CLI

Run alloydb instances update command (Windows/macOS/Linux) to set the SSL mode to ENCRYPTED_ONLY:

gcloud alloydb instances update cc-production-cluster-pr
	--cluster=cc-production-cluster
	--region=us-central1
	--project cc-alloydb-project-112233
	--ssl-mode=ENCRYPTED_ONLY

The command will initiate the instance update operation. Wait for the operation to complete:
```
Operation ID: operation-1768813613132-648ba0315a8ff-a6f62cfa-2102f98e
```
The update operation may take several minutes. Monitor the operation status until it completes successfully and verify the status after a few mins.

Step 2: Verify SSL Enforcement Configuration

Run alloydb instances describe command (Windows/macOS/Linux) to verify that SSL enforcement is enabled:

gcloud alloydb instances describe cc-production-cluster-pr
	--cluster=cc-production-cluster
	--region=us-central1
	--project cc-alloydb-project-112233
	--format="json(clientConnectionConfig.sslConfig.sslMode)"

The command output should confirm that SSL mode is set to ENCRYPTED_ONLY:

{
	"clientConnectionConfig": {
		"sslConfig": {
			"sslMode": "ENCRYPTED_ONLY"
		}
	}
}

Verify that the output shows "sslMode": "ENCRYPTED_ONLY". If the output shows a different value, repeat the update command.

Step 3: Apply to All Instances

Repeat steps no. 1 – 6 for each AlloyDB instance in the cluster, including read pool instances:

gcloud alloydb instances update cc-production-cluster-r1
	--cluster=cc-production-cluster
	--region=us-central1
	--project cc-alloydb-project-112233
	--ssl-mode=ENCRYPTED_ONLY

Repeat steps no. 1 – 7 for each AlloyDB cluster in the selected project.
Repeat steps no. 1 – 8 for each project available within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Configure SSL enforcement mode on AlloyDB instances
Encryption in transit for Google Cloud

GCP Command Line Interface (CLI) Documentation
gcloud alloydb instances update
gcloud alloydb instances describe
gcloud alloydb instances list
gcloud alloydb clusters list
gcloud projects list

Publication date Jan 22, 2026

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related AlloyDB rules