Heroku Postgres on Private and Shield Spaces
Last updated January 25, 2021
Heroku Postgres in Private Spaces is only available in Heroku Enterprise.
This article explains considerations for Heroku Postgres provisioning, plans, and connections that are specific to Private Spaces. If you have an existing Heroku Postgres database on the Common Runtime and you want to migrate it into a Private Space, see Migrating Heroku Postgres Databases to Private Spaces.
Heroku Private Spaces are dedicated environments for running applications within an isolated network. This means that every part of an application’s stack, including the dynos, data stores, and third-party add-ons, are contained within this isolated environment.
Heroku Postgres can run within a Private Space or Shield Space with a developer experience similar to that of the Common Runtime. Many of the same CLI commands and web interfaces work identically.
Private and Shield Heroku Data add-ons are not accessible to applications at build time. It is recommended that you eliminate the dependency on your private data store, use a public Heroku Data plan, or contact support for guidance.
Provisioning
Private and Shield Spaces each have their own set of Heroku Postgres plans that are unique to that types of space. You can provision databases from the hobby, standard, or premium tiers in a Private or Shield space in us-east-1 or eu-west-1 but those addons will not be automatically networked with your private space.
Create a new database
Many buildpacks provision a database as part of the Heroku build process. If you create an app within a Private or Shield Space, the smallest available private or shield plan is used by default when provisioning. See below for full lists of available private and shield tier plans.
Private Heroku Postgres databases can be provisioned via the CLI:
$ heroku addons:create heroku-postgresql:private-4 -a private-sushi
shield tier databases can only be created inside a Shield Space. private tier databases can be created in both Shield and Private Spaces.
Depending on the region and the type of database being created, the provisioning process can take up to 10 minutes before the database is available for use.
Private Tier Plans
Heroku Postgres offers a set of plans for Private Spaces. The private tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All private-tier databases include:
- No row limits
- Increasing amounts of in-memory cache
- Fork and follow support
- Rollback up to 7 days
- Database metrics published to application log stream
- High availability
- Automatic encryption-at-rest of all data written to disk.
| Plan Name | Provisioning Name | RAM Size | Storage Limit | Connection Limit | Monthly Price |
|---|---|---|---|---|---|
| Private 0 | heroku-postgresql:private-0 |
4 GB | 68 GB | 120 | $300 |
| Private 2 | heroku-postgresql:private-2 |
8 GB | 256 GB | 400 | $600 |
| Private 3 | heroku-postgresql:private-3 |
15 GB | 512 GB | 500 | $1000 |
| Private 4 | heroku-postgresql:private-4 |
30 GB | 768 GB | 500 | $1500 |
| Private 5 | heroku-postgresql:private-5 |
61 GB | 1 TB | 500 | $2800 |
| Private 6 | heroku-postgresql:private-6 |
122 GB | 1.5 TB | 500 | $3600 |
| Private 7 | heroku-postgresql:private-7 |
244 GB | 2 TB | 500 | $7000 |
| Private 8 | heroku-postgresql:private-8 |
488 GB | 3 TB | 500 | $10000 |
| Private 9 | heroku-postgresql:private-9 |
768 GB | 4 TB | 500 | $13000 |
Shield Tier Plans
Heroku Postgres offers a set of plans for Shield Spaces. The shield tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All shield tier database include:
- No row limits
- Increasing amounts of in-memory cache
- Fork and follow support
- Rollback up to 7 days
- Database metrics published to application log stream
- High availability
- Automatic encryption-at-rest of all data written to disk.
Shield tier databases differ from private tier databases and can only be used in conjunction with a Shield Space. Shield Heroku Postgres databases are meant for situations where meeting compliance is a goal of your application and business. Shield databases also have the following feature sets and restrictions:
- Non-TLS connections from dynos to shield databases are not possible. Encrypted connections are always enforced.
- Dataclips cannot connect to shield databases
- shield databases do not allow connections via
heroku pg:psqlfrom outside the Private Space - Direct access via “Trusted IPs” is not allowed for shield databases from outside the Private Space
- shield databases are monitored by additional intrusion detection and host scanning mechanisms
- PGBackups will not work with shield databases
| Plan Name | Provisioning Name | Cache Size | Storage Limit | Connection Limit | Monthly Price |
|---|---|---|---|---|---|
| Shield 0 | heroku-postgresql:shield-0 |
4 GB | 68 GB | 120 | $350 |
| Shield 2 | heroku-postgresql:shield-2 |
8 GB | 256 GB | 400 | $750 |
| Shield 3 | heroku-postgresql:shield-3 |
15 GB | 512 GB | 500 | $1200 |
| Shield 4 | heroku-postgresql:shield-4 |
30 GB | 768 GB | 500 | $1800 |
| Shield 5 | heroku-postgresql:shield-5 |
61 GB | 1 TB | 500 | $3400 |
| Shield 6 | heroku-postgresql:shield-6 |
122 GB | 1.5 TB | 500 | $4400 |
| Shield 7 | heroku-postgresql:shield-7 |
244 GB | 2 TB | 500 | $8400 |
| Shield 8 | heroku-postgresql:shield-8 |
488 GB | 3 TB | 500 | $12250 |
| Shield 9 | heroku-postgresql:shield-9 |
768 GB | 4 TB | 500 | $16000 |
Connecting to shield database via terminal
Heroku CLI command line tools like heroku pg:psql will not work when connecting to the database from your local machine because arbitrary ingress rules aren’t allowed. Instead, a database connection should be made via a Heroku Dyno assuming that the primary database is using the DATABASE_URL config var:
$ heroku run bash
Running bash on ⬢ sushi... up, run.3032 (1X)
~ $ psql $DATABASE_URL
psql (9.6.1, server 9.6.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
d8vbabiotc9412=>
Connecting to the database
Programming language specifics
All connections to a private database must be made with TLS/SSL. See the Heroku Postgres connection documentation, which has examples for Java, Ruby, JRuby, Python, Go, PHP and Node.js.
Connecting to Amazon VPCs via AWS PrivateLink
You can use PrivateLink to connect to a Private or Shield Heroku Postgres Database from an Amazon VPC. See Connecting to a Private or Shield Heroku Postgres Database via PrivateLink for details.
Connecting via mTLS
You can use Mutual TLS to create a secure and mutually authenticated channel between an external resource and a Heroku Postgres database running in a Private Space or a Shield Private Space. See Connecting to a Private or Shield Heroku Postgres Database from an External Resource for details.
Connecting from Heroku Runtimes
Connections to a database instance with a private plan can only be made within a private space. Connections cannot be made from other private spaces (and private space databases cannot be attached across space boundaries), or from the common runtime.
If you need to be able to connect to a database from a different private space or from the Common Runtime, you may want a database instance with a non-private plan, which will live in the Common Runtime.
Using the CLI
Unlike the Heroku Postgres databases in our hobby, standard, and premium tiers, private and shield databases cannot be directly accessed via a local computer.
For access to a private plan Heroku Postgres database, you can use heroku pg:psql. This ensures that you have the correct authorization to connect to the database across the isolated network boundary.
For access to a shield plan Heroku Postgres database, you cannot use heroku pg:psql and can only access the database via a dyno in your shield space.
Trusted IPs for data
Trusted IPs for data are a feature of Private Plans in Private Spaces. Databases in Shield Private Spaces cannot use Trusted IPs.
If a direct connection must be made to a Heroku Postgres private plan database from outside the private space boundary, the Trusted IPs feature of Private Spaces can be used to enable the connection. For Trusted IPs to be used for direct connections, the Private Space must be allowlisted by Heroku to enable the functionality. Please open a support ticket via one of the Heroku Support channels to discuss use cases and ability to have your private space included. More details on Trusted IPs for data services (Heroku Postgres, Heroku Redis and Apache Kafka on Heroku) can be found in the Private Spaces documentation.