Connecting To a Private Tier Postgres Database From Outside of the Private Space


You have chosen to use a database inside of a Private Space for increased security purposes, but also need to connect to this database from outside of your Heroku Private Space.

With the release of Heroku PrivateLink, there are now two methods for doing so. This article will help you decide which one is right for you.


Heroku Trusted IPs

Trusted IPs for Data Services Beta has been around a bit longer. This method allows a user to enable IP allow-listing for a Heroku Data Add-On in a Private Space. The setup is relatively simple and will allow a user to allow-list one to many external IPs. Doing so will allow anyone with database credentials and the ability to generate traffic from the allow-listed IP to make a connection to your data services.


Easy to Configure

After a request has been submitted for this feature to be enabled, one can add the IP addresses to the Trusted IPs on the Private Space Dashboard and access their database externally from there.

All Within Heroku

Another added benefit of Trusted IPs for Data Services is that the feature is entirely contained within the Heroku Platform. This means that there is no need for a separate account with AWS. This added simplicity can be desirable for customers who want something that is easier to manage.


Lack of Fine Grained Control

While Heroku Trusted IPs for Data Services is a simple configuration, it lacks some of the more fine grained control some apps may require. Any services generating traffic from the allow-listed IPs will have access to all data services in the space. This may not be desirable for customers whose apps require more fine tuned segmentation of traffic between their app's components.

Heroku Postgres via PrivateLink

Heroku now supports the ability to access a Heroku Postgres database via AWS PrivateLink. AWS PrivateLink provides a way to secure network traffic between VPCs.


Increased Control

With AWS PrivateLink you can limit traffic to only certain roles and users. This more complex configuration allows for more control over who can access your database.


More complex configuration

In order to take advantage of Heroku Postgres via AWS PrivateLink, configuration inside of AWS is required. We detail the steps for configuration in our Heroku Postgres via AWS PrivateLink Dev Center article. Some customers may not find this advanced configuration desirable.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support