Database Network Exposure
This page explains how Managed Databases can be accessed remotely at the network level depending on the architecture model.
At a Glance
By default, databases are not exposed to the public Internet. We apply secure connectivity settings out of the box, so your database is not publicly exposed unless you explicitly enable it.
| Shared Resources | Dedicated Resources | |
|---|---|---|
| Default reachability | Reachable from the Scalingo regional network | Not reachable by default (no internal or public access) |
| Public Internet access | Enable/disable, no source filtering | Denied by default, allowed only via firewall |
| Force TLS | Disabled by default | Enabled by default |
For Shared Resources and Dedicated Resources fundamentals, see Architecture Models.
Shared Resources
Allowing Scalingo Apps To Reach a Database
Shared Resources databases are reachable from the Scalingo regional network by default. Apps running in the same region can reach the database at the network level without adding a firewall rule.
TLS and Force TLS
On Shared Resources, TLS is available, but Force TLS connections is disabled by default to maximize compatibility with application frameworks and database clients.
When Force TLS connections is enabled, the database denies any non-TLS connection, whether it comes from the Scalingo network (for example applications) or from the public Internet.
For multi-node clusters, intra-cluster communications are always encrypted and do not depend on the Force TLS connections setting. See Common Features.
Making Your Database Reachable from the Internet
Public Internet exposure is optional. To make the database reachable from the public Internet:
- Enable Force TLS.
- Enable Internet Accessibility from the database dashboard.
- Use Direct Access for client connections.
Dedicated Resources
How the Firewall Works
With Dedicated Resources, the database endpoint is Internet-routable, but inbound traffic is denied by default. Access is controlled through a fine-grained firewall that follows an allowlist model: every incoming connection must match an explicit rule.
Allowing Scalingo Apps To Reach a Database
Dedicated Resources databases are not reachable from the Scalingo network by default. If a Scalingo app must connect to the database, add the managed firewall rule for the app region.
This rule allows the Scalingo regional network, so the database becomes reachable at the network level from any Scalingo app hosted in that region.
Making Your Database Reachable from the Internet
- Open only required source networks in the firewall allowlist.
- If needed, add managed rules for Scalingo regions.