Database Network Exposure

This page explains how Managed Databases can be accessed remotely at the network level depending on the architecture model.

At a Glance

By default, databases are not exposed to the public Internet. We apply secure connectivity settings out of the box, so your database is not publicly exposed unless you explicitly enable it.

  Shared Resources Dedicated Resources
Default reachability Reachable from the Scalingo regional network Not reachable by default (no internal or public access)
Internet-routable endpoint Optional, through Internet Accessibility Available, denied by default, allowed only via firewall
Private peering endpoint Not available Optional, through Outscale Net Peering
Force TLS Disabled by default Enabled by default

For Shared Resources and Dedicated Resources fundamentals, see Architecture Models.

Shared Resources

Allowing Scalingo Apps To Reach a Database

Shared Resources databases are reachable from the Scalingo regional network by default. Apps running in the same region can reach the database at the network level without adding a firewall rule.

TLS and Force TLS

On Shared Resources, TLS is available, but Force TLS connections is disabled by default to maximize compatibility with application frameworks and database clients.

When Force TLS connections is enabled, the database denies any non-TLS connection, whether it comes from the Scalingo network (for example applications) or from the public Internet.

For multi-node clusters, intra-cluster communications are always encrypted and do not depend on the Force TLS connections setting. See Common Features.

Making Your Database Reachable from the Internet

Public Internet exposure is optional. To make the database reachable from the public Internet:

  1. Enable Force TLS.
  2. Enable Internet Accessibility from the database dashboard.
  3. Use Direct Access for client connections.

Dedicated Resources

Dedicated Resources databases provide fine-grained control over network exposure. By default, no application, external client, or peered network can reach them until you explicitly allow traffic.

Outscale Net Peering

In addition to their Internet-routable endpoint, Dedicated Resources database instances can provide a private endpoint reachable through an Outscale Net Peering from an Outscale account in the same region as the database. This creates a private connectivity path between the database network and an Outscale VPC.

This access path is useful when your workloads run outside Scalingo but inside an Outscale VPC, and you want traffic to reach the database without using the public Internet route.

How the Firewall Works

With Dedicated Resources, the database endpoint is Internet-routable, but inbound traffic is denied by default. Access is controlled through a fine-grained firewall that follows an allowlist model: every incoming connection must match an explicit rule.

Each access path requires an explicit firewall rule:

Allowing Scalingo Apps To Reach a Database

Dedicated Resources databases are not reachable from the Scalingo network by default. If a Scalingo app must connect to the database, add the managed firewall rule for the app region.

This rule allows the Scalingo regional network, so the database becomes reachable at the network level from any Scalingo app hosted in that region.

Making Your Database Reachable from External Networks

  1. Open only required source networks in the firewall allowlist.
  2. If needed, add managed rules for Scalingo regions.

Suggest edits

Database Network Exposure

©2026 Scalingo