Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with the Play Framework
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Heroku Enterprise
  • Private Spaces
  • Heroku Postgres on Private and Shield Spaces

Heroku Postgres on Private and Shield Spaces

English — 日本語に切り替える

Last updated January 25, 2021

Table of Contents

  • Provisioning
  • Private Tier Plans
  • Shield Tier Plans
  • Connecting to the database

Heroku Postgres in Private Spaces is only available in Heroku Enterprise.

This article explains considerations for Heroku Postgres provisioning, plans, and connections that are specific to Private Spaces. If you have an existing Heroku Postgres database on the Common Runtime and you want to migrate it into a Private Space, see Migrating Heroku Postgres Databases to Private Spaces.

Heroku Private Spaces are dedicated environments for running applications within an isolated network. This means that every part of an application’s stack, including the dynos, data stores, and third-party add-ons, are contained within this isolated environment.

Heroku Postgres can run within a Private Space or Shield Space with a developer experience similar to that of the Common Runtime. Many of the same CLI commands and web interfaces work identically.

Private and Shield Heroku Data add-ons are not accessible to applications at build time. It is recommended that you eliminate the dependency on your private data store, use a public Heroku Data plan, or contact support for guidance.

Provisioning

Private and Shield Spaces each have their own set of Heroku Postgres plans that are unique to that types of space. You can provision databases from the hobby, standard, or premium tiers in a Private or Shield space in us-east-1 or eu-west-1 but those addons will not be automatically networked with your private space.

Create a new database

Many buildpacks provision a database as part of the Heroku build process. If you create an app within a Private or Shield Space, the smallest available private or shield plan is used by default when provisioning. See below for full lists of available private and shield tier plans.

Private Heroku Postgres databases can be provisioned via the CLI:

$ heroku addons:create heroku-postgresql:private-4 -a private-sushi

shield tier databases can only be created inside a Shield Space. private tier databases can be created in both Shield and Private Spaces.

Depending on the region and the type of database being created, the provisioning process can take up to 10 minutes before the database is available for use.

Private Tier Plans

Heroku Postgres offers a set of plans for Private Spaces. The private tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All private-tier databases include:

  • No row limits
  • Increasing amounts of in-memory cache
  • Fork and follow support
  • Rollback up to 7 days
  • Database metrics published to application log stream
  • High availability
  • Automatic encryption-at-rest of all data written to disk.
Plan Name Provisioning Name RAM Size Storage Limit Connection Limit Monthly Price
Private 0 heroku-postgresql:private-0 4 GB 68 GB 120 $300
Private 2 heroku-postgresql:private-2 8 GB 256 GB 400 $600
Private 3 heroku-postgresql:private-3 15 GB 512 GB 500 $1000
Private 4 heroku-postgresql:private-4 30 GB 768 GB 500 $1500
Private 5 heroku-postgresql:private-5 61 GB 1 TB 500 $2800
Private 6 heroku-postgresql:private-6 122 GB 1.5 TB 500 $3600
Private 7 heroku-postgresql:private-7 244 GB 2 TB 500 $7000
Private 8 heroku-postgresql:private-8 488 GB 3 TB 500 $10000
Private 9 heroku-postgresql:private-9 768 GB 4 TB 500 $13000

Shield Tier Plans

Heroku Postgres offers a set of plans for Shield Spaces. The shield tier is designed for production applications that can tolerate up to 15 minutes of downtime in any given month. All shield tier database include:

  • No row limits
  • Increasing amounts of in-memory cache
  • Fork and follow support
  • Rollback up to 7 days
  • Database metrics published to application log stream
  • High availability
  • Automatic encryption-at-rest of all data written to disk.

Shield tier databases differ from private tier databases and can only be used in conjunction with a Shield Space. Shield Heroku Postgres databases are meant for situations where meeting compliance is a goal of your application and business. Shield databases also have the following feature sets and restrictions:

  • Non-TLS connections from dynos to shield databases are not possible. Encrypted connections are always enforced.
  • Dataclips cannot connect to shield databases
  • shield databases do not allow connections via heroku pg:psql from outside the Private Space
  • Direct access via “Trusted IPs” is not allowed for shield databases from outside the Private Space
  • shield databases are monitored by additional intrusion detection and host scanning mechanisms
  • PGBackups will not work with shield databases
Plan Name Provisioning Name Cache Size Storage Limit Connection Limit Monthly Price
Shield 0 heroku-postgresql:shield-0 4 GB 68 GB 120 $350
Shield 2 heroku-postgresql:shield-2 8 GB 256 GB 400 $750
Shield 3 heroku-postgresql:shield-3 15 GB 512 GB 500 $1200
Shield 4 heroku-postgresql:shield-4 30 GB 768 GB 500 $1800
Shield 5 heroku-postgresql:shield-5 61 GB 1 TB 500 $3400
Shield 6 heroku-postgresql:shield-6 122 GB 1.5 TB 500 $4400
Shield 7 heroku-postgresql:shield-7 244 GB 2 TB 500 $8400
Shield 8 heroku-postgresql:shield-8 488 GB 3 TB 500 $12250
Shield 9 heroku-postgresql:shield-9 768 GB 4 TB 500 $16000

Connecting to shield database via terminal

Heroku CLI command line tools like heroku pg:psql will not work when connecting to the database from your local machine because arbitrary ingress rules aren’t allowed. Instead, a database connection should be made via a Heroku Dyno assuming that the primary database is using the DATABASE_URL config var:

$ heroku run bash
Running bash on ⬢ sushi... up, run.3032 (1X)

~ $ psql $DATABASE_URL
psql (9.6.1, server 9.6.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

d8vbabiotc9412=>

Connecting to the database

Programming language specifics

All connections to a private database must be made with TLS/SSL. See the Heroku Postgres connection documentation, which has examples for Java, Ruby, JRuby, Python, Go, PHP and Node.js.

Connecting to Amazon VPCs via AWS PrivateLink

You can use PrivateLink to connect to a Private or Shield Heroku Postgres Database from an Amazon VPC. See Connecting to a Private or Shield Heroku Postgres Database via PrivateLink for details.

Connecting via mTLS

You can use Mutual TLS to create a secure and mutually authenticated channel between an external resource and a Heroku Postgres database running in a Private Space or a Shield Private Space. See Connecting to a Private or Shield Heroku Postgres Database from an External Resource for details.

Connecting from Heroku Runtimes

Connections to a database instance with a private plan can only be made within a private space. Connections cannot be made from other private spaces (and private space databases cannot be attached across space boundaries), or from the common runtime.

Diagram showing private space database access

If you need to be able to connect to a database from a different private space or from the Common Runtime, you may want a database instance with a non-private plan, which will live in the Common Runtime.

Diagram showing common runtime database access

Using the CLI

Unlike the Heroku Postgres databases in our hobby, standard, and premium tiers, private and shield databases cannot be directly accessed via a local computer.

For access to a private plan Heroku Postgres database, you can use heroku pg:psql. This ensures that you have the correct authorization to connect to the database across the isolated network boundary.

For access to a shield plan Heroku Postgres database, you cannot use heroku pg:psql and can only access the database via a dyno in your shield space.

Trusted IPs for data

Trusted IPs for data are a feature of Private Plans in Private Spaces. Databases in Shield Private Spaces cannot use Trusted IPs.

If a direct connection must be made to a Heroku Postgres private plan database from outside the private space boundary, the Trusted IPs feature of Private Spaces can be used to enable the connection. For Trusted IPs to be used for direct connections, the Private Space must be allowlisted by Heroku to enable the functionality. Please open a support ticket via one of the Heroku Support channels to discuss use cases and ability to have your private space included. More details on Trusted IPs for data services (Heroku Postgres, Heroku Redis and Apache Kafka on Heroku) can be found in the Private Spaces documentation.

Keep reading

  • Private Spaces

Feedback

Log in to submit feedback.

Shield Private Spaces Heroku Private Spaces

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies