PostgreSQL agent cannot connect to AlloyDB PostgreSQL database in GCP
The message appears in the agent log
FATAL: no pg_hba.conf entry for host "IP ADDRESS", user "USERNAME", database "postgres", no encryption
The GCP IP Address is part of the 100.64.0.0/10 address space and it is never assigned to hosts. Addresses in this range are used by NAT devices to share a smaller number of IP addresses among many devices.
In PostgreSQL the non‑SSL connection is being rejected due to GCP NAT. Either enabling SSL (sslmode=require) or changing GCP networking is going to be required because the PostgreSQL config file cannot be updated.
RESOLUTION 1
Put the FglAM in the same VPC or use Private Service Connect (PSC) to let AlloyDB see the real source IP Address.
RESOLUTION 2
Force a single static exit IP address that AlloyDB rules already trust.
RESOLUTION 3
Enable SSL in the agent with sslmode=require
Non-SSL connections require IP controls that can't be configred in AlloyDB. When SSL is turned on, then AlloyDB should let the user manage the connection in the front-end and not need IP whitelisting. It also shouldn't need PKI or certificate changes.
