Database Network Exposure
This page explains how Managed Databases can be accessed remotely at the network level depending on the architecture model.
At a Glance
Databases are private by default. We apply secure connectivity settings out of the box, so your database is not exposed unless you explicitly enable it.
| Shared Resources | Dedicated Resources | |
|---|---|---|
| Default reachability | Reachable from the Scalingo regional network | Not reachable by default (no internal or public access) |
| Public Internet access | Enable/disable, no source filtering | Denied by default, allowed only via firewall |
| Force TLS | Disabled by default | Enabled by default |
For Shared Resources and Dedicated Resources fundamentals, see Architecture Models.
Making Your Database Reachable from the Internet
It is possible to expose your database to the public Internet, but requirements depend on your architecture model.
Shared Resources
- Enable Force TLS.
- Enable Internet Accessibility from the database dashboard.
- Use Direct Access for client connections.
See also: Shared Resources: Network Exposure.
Dedicated Resources
- Open only required source networks in the firewall allowlist.
- If needed, add managed rules for Scalingo regions.
See: Dedicated Resources: Firewalling, How the Firewall Works, Allowing Scalingo Apps To Reach a Dedicated Resources Database.
TLS and Force TLS
TLS is available on Scalingo databases, but it is not always enforced by default to maximize compatibility with application frameworks and database clients. When Force TLS connections is enabled, the database denies any non-TLS connection, whether it comes from the Scalingo network (for example applications) or from the public Internet.
For multi-node clusters, intra-cluster communications are always encrypted and do not depend on the Force TLS connections setting. See Common Features.
Shared Resources
Shared Resources databases are reachable from the Scalingo regional network by default. This default setting keeps operations simple for apps in the same region while avoiding public exposure.
Public Internet exposure is optional and controlled by the client: if Internet Accessibility is enabled, the database becomes reachable from the public Internet.
Dedicated Resources
With Dedicated Resources, the database endpoint is Internet-routable, but inbound traffic is denied by default. Access is controlled through a fine-grained firewall that follows an allowlist model: every incoming connection must match an explicit rule.
This also applies to traffic coming from the Scalingo network: if a Scalingo app must connect to the database, you still need to allow it (typically with the matching managed rule for the app region).