full image - Repost: A Heroku add-on that puts a PostgreSQL DB in its own virtual private cloud (from Reddit.com, A Heroku add-on that puts a PostgreSQL DB in its own virtual private cloud)
Mining:
Exchanges:
Donations:
Having used Heroku extensively at my previous job I became aware of what I perceived to be a major drawback of database add-ons in Heroku's marketplace: they all seem to allow connections directly from the public internet (or at least from anywhere on AWS's network) for the sake of convenience for app developers (and probably the add-on developers too!). That way, an app developer need only to retrieve the DB connection URL from the corresponding config variable (i.e. environment variable) in application code to connect to the DB. But leaving DB servers exposed to the whole world seems a clear violation of security best practices.Heroku has a solution to this problem, of course: Private Spaces. In a private space, your app's dynos and some of its add-ons are hosted together within a virtual private cloud (VPC) that is firewalled off from the rest of the internet. It comes with a couple important caveats, however: you have to have a Heroku Enterprise contract (which is expensive and requires you to give up the option to use some of the cheaper dyno types) and it only supports a handful of select add-ons (only first party, it seems) to be sequestered within the app's VPC.My new add-on service aims to provide an alternative that sits somewhere between the extreme simplicity and relative inexpensiveness of DB add-ons running on the Common Runtime and the considerably more expensive Private Spaces while offering a similar level of security as Private Spaces. It's called Borealis Isolated Postgres and it's in beta now (it's free during beta).With my add-on, each DB server is in a PostgreSQL-compatible Amazon Aurora cluster that is isolated within its own VPC. All connections to a DB server are required to be forwarded through an SSH server that is dedicated to that VPC.So how does an app connect? I wrote a Heroku buildpack to take care of that seamlessly (borealis/postgres-ssh). When you add the buildpack to an app, it automatically identifies any config variables from my add-on and sets up a persistent SSH local port forwarding connection to the database server using autossh. The app can then connect to the database via a standard PostgreSQL client library using the add-on's DATABASE_URL config variable without having to be aware of the SSH connection in any way. In other words, application code doesn't have to change at all to support it. If the app works with the first-party Heroku Postgres add-on, it should work with my add-on, too.Connecting from your local machine or a CI server to a database server is also straightforward. I wrote a Heroku CLI plugin (borealis-pg-cli) with a couple simple commands to either run DB scripts (e.g. DB migrations to be executed during CI/CD) or open a persistent tunnel locally (e.g. for ad hoc data administration). It also has a few commands for managing which PostgreSQL extensions/modules are installed since the app user does not have privileges to do so in SQL (remember, it's a managed DB service).During the beta all add-ons are provisioned in a multi-tenant environment to keep costs down, but when released into general availability, each premium add-on will operate in its own fully isolated VPC that is only accessible via private SSH server. I have not yet decided whether I will continue to provide a free, multi-tenant option after GA, though.If you're already a Heroku user, you can provision the add-on directly (for free) here. Docs are here.Let me know what you think!
Social Media Icons