Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Rails Support
      • Working with Bundler
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with the Play Framework
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Heroku Enterprise
  • Private Spaces
  • Heroku Postgres on Private and Shield Spaces

Heroku Postgres on Private and Shield Spaces

English — 日本語に切り替える

Last updated December 15, 2022

Table of Contents

  • Provisioning
  • Private Tier Plans
  • Shield Tier Plans
  • Connecting to the Database

Heroku Postgres in Private Spaces is only available in Heroku Enterprise.

This article explains considerations for Heroku Postgres provisioning, plans, and connections that are specific to Private Spaces. If you have an existing Heroku Postgres database on the Common Runtime and you want to migrate it into a Private Space, see Migrating Heroku Postgres Databases to Private Spaces.

Heroku Private Spaces are dedicated environments for running applications within an isolated network. This means that every part of an application’s stack, including the dynos, data stores, and third-party add-ons, are contained within this isolated environment.

Heroku Postgres can run within a Private Space or Shield Space with a developer experience similar to that of the Common Runtime. Many of the same CLI commands and web interfaces work identically.

Private and Shield Heroku Data add-ons aren’t accessible to applications at build time. It’s recommended that you eliminate the dependency on your private data store, use a public Heroku Data plan, or contact support for guidance.

Provisioning

Private and Shield Spaces each have their own set of Heroku Postgres plans that are unique to that type of space. You can provision databases from the Essential, Standard, or Premium tiers in a Private or Shield space in us-east-1 or eu-west-1. Those add-ons won’t be automatically networked with your private space.

Create a New Database

Many buildpacks provision a database as part of the Heroku build process. If you create an app within a Private or Shield Space, the smallest available private or shield plan is used by default when provisioning. See the following for full lists of available Private and Shield tier plans.

Private Heroku Postgres databases can be provisioned via the CLI:

$ heroku addons:create heroku-postgresql:private-4 -a private-sushi

shield tier databases can only be created inside a Shield Space. private tier databases can be created in both Shield and Private Spaces.

Depending on the region and the type of database being created, the provisioning process can take up to 10 minutes before the database is available for use.

Private Tier Plans

Heroku Postgres offers a set of plans for Private Spaces. The private tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All private-tier databases include:

  • No row limits
  • Increasing amounts of in-memory cache
  • Fork and follow support
  • Rollback up to 7 days
  • Database metrics published to application log stream
  • High availability
  • Automatic encryption-at-rest of all data written to disk
Plan Name Provisioning Name RAM Size Storage Limit Connection Limit Monthly Price
Private 0 heroku-postgresql:private-0 4 GB 68 GB 120 $300
Private 2 heroku-postgresql:private-2 8 GB 256 GB 400 $600
Private 3 heroku-postgresql:private-3 15 GB 512 GB 500 $1000
Private 4 heroku-postgresql:private-4 30 GB 768 GB 500 $1500
Private 5 heroku-postgresql:private-5 61 GB 1 TB 500 $2800
Private 6 heroku-postgresql:private-6 122 GB 1.5 TB 500 $3600
Private 7 heroku-postgresql:private-7 244 GB 2 TB 500 $7000
Private 8 heroku-postgresql:private-8 488 GB 3 TB 500 $10000
Private 9 heroku-postgresql:private-9 768 GB 4 TB 500 $13000

Shield Tier Plans

Heroku Postgres offers a set of plans for Shield Spaces. The shield tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All shield tier database include:

  • No row limits
  • Increasing amounts of in-memory cache
  • Fork and follow support
  • Rollback up to 7 days
  • Database metrics published to application log stream
  • High availability
  • Automatic encryption-at-rest of all data written to disk

Shield tier databases differ from private tier databases and can only be used in conjunction with a Shield Space. Shield Heroku Postgres databases are meant for situations where meeting compliance is a goal of your application and business. Shield databases also have the following feature sets and restrictions:

  • Non-TLS connections from dynos to shield databases aren’t possible. Encrypted connections are always enforced.
  • Dataclips can’t connect to shield databases
  • shield databases don’t allow connections via heroku pg:psql from outside the Private Space
  • Direct access via “Trusted IPs” isn’t allowed for shield databases from outside the Private Space
  • shield databases are monitored by additional intrusion detection and host scanning mechanisms
  • PGBackups don’t work with shield databases
  • shield databases can’t have forks or followers in non-shield spaces.
  • pg:diagnose and the Diagnose tab of the Heroku Data dashboard are unavailable
Plan Name Provisioning Name Cache Size Storage Limit Connection Limit Monthly Price
Shield 0 heroku-postgresql:shield-0 4 GB 68 GB 120 $350
Shield 2 heroku-postgresql:shield-2 8 GB 256 GB 400 $750
Shield 3 heroku-postgresql:shield-3 15 GB 512 GB 500 $1200
Shield 4 heroku-postgresql:shield-4 30 GB 768 GB 500 $1800
Shield 5 heroku-postgresql:shield-5 61 GB 1 TB 500 $3400
Shield 6 heroku-postgresql:shield-6 122 GB 1.5 TB 500 $4400
Shield 7 heroku-postgresql:shield-7 244 GB 2 TB 500 $8400
Shield 8 heroku-postgresql:shield-8 488 GB 3 TB 500 $12250
Shield 9 heroku-postgresql:shield-9 768 GB 4 TB 500 $16000

Connecting to Shield Database via Terminal

Heroku CLI command line tools like heroku pg:psql don’t work when connecting to the database from your local machine because arbitrary ingress rules aren’t allowed. Instead, a database connection must be made via a Heroku Dyno assuming that the primary database is using the DATABASE_URL config var:

$ heroku run bash
Running bash on ⬢ sushi... up, run.3032 (1X)

~ $ psql $DATABASE_URL
psql (9.6.1, server 9.6.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

d8vbabiotc9412=>

Connecting to the Database

Programming Language Specifics

All connections to a private database must be made with TLS/SSL. See the Heroku Postgres connection documentation, which has examples for Java, Ruby, JRuby, Python, Go, PHP, and Node.js.

Connecting to Amazon VPCs via AWS PrivateLink

You can use PrivateLink to connect to a Private or Shield Heroku Postgres Database from an Amazon VPC. See Connecting to a Private or Shield Heroku Postgres Database via PrivateLink for details.

Connecting via mTLS

You can use Mutual TLS to create a secure and mutually authenticated channel between an external resource and a Heroku Postgres database running in a Private Space or a Shield Private Space. See Connecting to a Private or Shield Heroku Postgres Database from an External Resource for details.

Connecting from Heroku Runtimes

Connections to a database instance with a private plan can only be made within a private space. Connections can’t be made from other private spaces (and private space databases can’t be attached across space boundaries), or from the common runtime.

Diagram showing private space database access

If you must connect to a database from a different private space or from the Common Runtime, you want a database instance with a non-private plan, which lives in the Common Runtime.

Diagram showing common runtime database access

You can also use mTLS to connect to a database from a different private space. See Connecting to a Private or Shield Heroku Postgres Database from an External Resource for details.

If you’re connecting to a database in one region from a private space in another region, there can be increased latency.

Using the CLI

Unlike the Heroku Postgres databases in our other tiers, you can’t access Private and Shield databases via a local computer.

For access to a private plan Heroku Postgres database, you can use heroku pg:psql. This ensures that you have the correct authorization to connect to the database across the isolated network boundary.

For access to a shield plan Heroku Postgres database, you can’t use heroku pg:psql and can only access the database via a dyno in your shield space.

Trusted IPs for Data

Trusted IPs for data are a feature of Private Plans in Private Spaces. Databases in Shield Private Spaces can’t use Trusted IPs.

If you must make a direct connection to a Heroku Postgres private plan database from outside the Private Space boundary, use the Trusted IPs feature of Private Spaces to enable the connection. To use Trusted IPs for direct connections, Heroku must allowlist your Private Space to enable the functionality. Open a support ticket to discuss use cases and ability to have your Private Space included. See more details on Trusted IPs for data services (Heroku Postgres, Heroku Data for Redis and Apache Kafka on Heroku) in the Private Spaces documentation.

Keep reading

  • Private Spaces

Feedback

Log in to submit feedback.

Shield Private Spaces Heroku Private Spaces

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences