Use source private IP connectivity with a reverse proxy
Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to set up a reverse proxy on a Compute Engine
Virtual Machine (VM) to facilitate source private connectivity for
heterogeneous SQL Server migrations.
A reverse proxy VM is required when you want to use
private IP connectivity with a source that resides
in a different Virtual Private Cloud network than the one where you
create the private connectivity configuration. For example,
you configure this reverse proxy for Cloud SQL sources.
Set up a reverse proxy
To create a Compute Engine VM to host the proxy, follow these steps:
After you connect to the machine, create the necessary iptables
routing to forward the traffic. You can use the following script.
Before using any of the command data below, make the following replacements:
SOURCE_PRIVATE_IP with
the private IP address of your source instance.
PORT with the port number where
your source SQL Server instance is listening for connections.
#! /bin/bashexportDB_ADDR=SOURCE_PRIVATE_IPexportDB_PORT=PORT# Enable the VM to receive packets whose destinations do# not match any running process local to the VMecho1>/proc/sys/net/ipv4/ip_forward
# Ask the Metadata server for the IP address of the VM nic0# network interface:md_url_prefix="http://169.254.169.254/computeMetadata/v1/instance"vm_nic_ip="$(curl-H"Metadata-Flavor: Google"${md_url_prefix}/network-interfaces/0/ip)"# Clear any existing iptables NAT table entries (all chains):
iptables-tnat-F
# Create a NAT table entry in the prerouting chain, matching# any packets with destination database port, changing the destination# IP address of the packet to your source instance IP address:
iptables-tnat-APREROUTING\-ptcp--dport$DB_PORT\-jDNAT\--to-destination$DB_ADDR# Create a NAT table entry in the postrouting chain, matching# any packets with destination database port, changing the source IP# address of the packet to the NAT VM's primary internal IPv4 address:
iptables-tnat-APOSTROUTING\-ptcp--dport$DB_PORT\-jSNAT\--to-source$vm_nic_ip# Save iptables configuration:
iptables-save
Your proxy VM is now running. Continue with the rest of the steps
required for your source connectivity.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document explains how to set up a reverse proxy on a Compute Engine VM to enable private IP connectivity for heterogeneous SQL Server migrations to Cloud SQL for PostgreSQL.\u003c/p\u003e\n"],["\u003cp\u003eA reverse proxy VM is necessary when the source resides in a different Virtual Private Cloud network than the private connectivity configuration, such as for Cloud SQL sources.\u003c/p\u003e\n"],["\u003cp\u003eThe setup involves creating a Linux VM instance in Compute Engine and configuring \u003ccode\u003eiptables\u003c/code\u003e routing to forward traffic to the source instance using a provided script, which requires specific variable replacements.\u003c/p\u003e\n"],["\u003cp\u003eThe Database Migration Service feature discussed here is in Pre-GA and is subject to the "Pre-GA Offerings Terms" with limited support.\u003c/p\u003e\n"]]],[],null,["# Use source private IP connectivity with a reverse proxy\n\nThis page explains how to set up a reverse proxy on a Compute Engine\nVirtual Machine (VM) to facilitate source private connectivity for\nheterogeneous SQL Server migrations.\n\nA reverse proxy VM is required when you want to use\n[private IP connectivity](/database-migration/docs/sqlserver-to-csql-pgsql/networking-methods-source#private-connectivity-for-source) with a source that resides\nin a different Virtual Private Cloud network than the one where you\n[create the private connectivity configuration](/database-migration/docs/sqlserver-to-csql-pgsql/create-private-connectivity-configuration). For example,\nyou configure this reverse proxy for Cloud SQL sources.\n\nSet up a reverse proxy\n----------------------\n\nTo create a Compute Engine VM to host the proxy, follow these steps:\n\n1. [Create a Linux VM instance in Compute Engine](/compute/docs/create-linux-vm-instance).\n2. After you connect to the machine, create the necessary `iptables`\n routing to forward the traffic. You can use the following script.\n\n Before using any of the command data below, make the following replacements:\n - \u003cvar class=\"edit\" scope=\"SOURCE_PRIVATE_IP\" translate=\"no\"\u003eSOURCE_PRIVATE_IP\u003c/var\u003e with the private IP address of your source instance.\n - \u003cvar class=\"edit\" scope=\"PORT\" translate=\"no\"\u003ePORT\u003c/var\u003e with the port number where your source SQL Server instance is listening for connections.\n\n ```bash\n #! /bin/bash\n\n export DB_ADDR=SOURCE_PRIVATE_IP\n export DB_PORT=PORT\n\n # Enable the VM to receive packets whose destinations do\n # not match any running process local to the VM\n echo 1 \u003e /proc/sys/net/ipv4/ip_forward\n\n # Ask the Metadata server for the IP address of the VM nic0\n # network interface:\n md_url_prefix=\"http://169.254.169.254/computeMetadata/v1/instance\"\n vm_nic_ip=\"$(curl -H \"Metadata-Flavor: Google\" ${md_url_prefix}/network-interfaces/0/ip)\"\n\n # Clear any existing iptables NAT table entries (all chains):\n iptables -t nat -F\n\n # Create a NAT table entry in the prerouting chain, matching\n # any packets with destination database port, changing the destination\n # IP address of the packet to your source instance IP address:\n iptables -t nat -A PREROUTING \\\n -p tcp --dport $DB_PORT \\\n -j DNAT \\\n --to-destination $DB_ADDR\n\n # Create a NAT table entry in the postrouting chain, matching\n # any packets with destination database port, changing the source IP\n # address of the packet to the NAT VM's primary internal IPv4 address:\n iptables -t nat -A POSTROUTING \\\n -p tcp --dport $DB_PORT \\\n -j SNAT \\\n --to-source $vm_nic_ip\n\n # Save iptables configuration:\n iptables-save\n ```\n\n Your proxy VM is now running. Continue with the rest of the steps\n required for your source connectivity.\n\nWhat's next\n-----------\n\n- Learn more about source connectivity methods. See\n [Source connectivity methods overview](/database-migration/docs/sqlserver-to-csql-pgsql/networking-methods-source).\n\n- To get a complete, step-by-step migration walkthrough, see\n [SQL Server to Cloud SQL for PostgreSQL migration guide](/database-migration/docs/sqlserver-to-csql-pgsql/guide)."]]
