Database Network Exposure
This page explains how Managed Databases can be accessed remotely at the network level depending on the architecture model.
At a Glance
By default, databases are not exposed to the public Internet. We apply secure connectivity settings out of the box, so your database is not publicly exposed unless you explicitly enable it.
| Shared Resources | Dedicated Resources | |
|---|---|---|
| Default reachability | Reachable from the Scalingo regional network | Not reachable by default (no internal or public access) |
| Internet-routable endpoint | Optional, through Internet Accessibility | Available, denied by default, allowed only via firewall |
| Private peering endpoint | Not available | Optional, through Outscale Net Peering |
| Force TLS | Disabled by default | Enabled by default |
For Shared Resources and Dedicated Resources fundamentals, see Architecture Models.
Shared Resources
Allowing Scalingo Apps To Reach a Database
Shared Resources databases are reachable from the Scalingo regional network by default. Apps running in the same region can reach the database at the network level without adding a firewall rule.
TLS and Force TLS
On Shared Resources, TLS is available, but Force TLS connections is disabled by default to maximize compatibility with application frameworks and database clients.
When Force TLS connections is enabled, the database denies any non-TLS connection, whether it comes from the Scalingo network (for example applications) or from the public Internet.
For multi-node clusters, intra-cluster communications are always encrypted and do not depend on the Force TLS connections setting. See Common Features.
Making Your Database Reachable from the Internet
Public Internet exposure is optional. To make the database reachable from the public Internet:
- Enable Force TLS.
- Enable Internet Accessibility from the database dashboard.
- Use Direct Access for client connections.
Dedicated Resources
Dedicated Resources databases provide fine-grained control over network exposure. By default, no application, external client, or peered network can reach them until you explicitly allow traffic.
Outscale Net Peering
In addition to their Internet-routable endpoint, Dedicated Resources database instances can provide a private endpoint reachable through an Outscale Net Peering from an Outscale account in the same region as the database. This creates a private connectivity path between the database network and an Outscale VPC.
This access path is useful when your workloads run outside Scalingo but inside an Outscale VPC, and you want traffic to reach the database without using the public Internet route.
How the Firewall Works
With Dedicated Resources, the database endpoint is Internet-routable, but inbound traffic is denied by default. Access is controlled through a fine-grained firewall that follows an allowlist model: every incoming connection must match an explicit rule.
Each access path requires an explicit firewall rule:
- Scalingo apps: add the matching managed firewall rule for the app region.
- Public Internet clients: allow only the required public source IP addresses or CIDR ranges.
- Outscale Net Peering: allow the private IP ranges from your own Outscale network in the firewall.
Allowing Scalingo Apps To Reach a Database
Dedicated Resources databases are not reachable from the Scalingo network by default. If a Scalingo app must connect to the database, add the managed firewall rule for the app region.
This rule allows the Scalingo regional network, so the database becomes reachable at the network level from any Scalingo app hosted in that region.
Making Your Database Reachable from External Networks
- Open only required source networks in the firewall allowlist.
- If needed, add managed rules for Scalingo regions.