Heroku Key-Value Store and Private Spaces
Last updated June 05, 2025
Table of Contents
Heroku Key-Value Store in Private Spaces is only available for verified Heroku Teams and in Heroku Enterprise.
This article explains the differences between Heroku Key-Value Store (KVS) provisioning, plans, and connections in Private Spaces or Shield Private Spaces as compared with Heroku Key-Value Store in the Common Runtime.
Heroku Private Spaces are dedicated environments for running applications within an isolated network. Every part of the application stack, including the dyno, data stores, and third-party add-ons is contained within this environment.
Heroku Key-Value Store can run within a Private Space with the same developer experience as on the Common Runtime. Many of the same CLI commands and web interfaces work for private Heroku Key-Value Store instances.
Private Heroku Key-Value Store plans aren’t accessible to applications at build time. We advise you to eliminate the build time dependency on your private data store, use a public Heroku Data plan, or contact support for guidance.
All Heroku Key-Value Store plans require TLS connections. You must configure your client to support TLS. This process can require updating and deploying your application before returning the app to normal operation.
Provisioning
The private-tier Heroku Key-Value Store plans are only meant for Private Spaces. You can only provision private-tier plans inside the isolated network environment. If you attempt to create an instance from the premium tier, that request fails.
Create a New Instance
Many buildpacks create a KVS instance as part of the build process. If the application that’s being created is within a Private Space, unless a KVS instance already exists for that application, the lowest available private plan is used when creating the instance. For a list of the currently available plans, see the plans section.
You can provision private Heroku Key-Value Store instances via the CLI:
$ heroku addons:create heroku-redis:private-7 -a private-example-app
You can only create private-tier plans of Heroku Key-Value Store inside a Private Space.
Depending on the region and the type of instance being created, the provisioning process can take up to 10 minutes before the instance is available for use.
Plans
Heroku Key-Value Store offers a set of plans for Private Spaces. The private tier is designed for production applications and includes:
- Region support
- Fork support
- Metrics published to the application log stream
- High availability
| Plan Name | Provisioning Name | Memory Limit | Connection Limit | Monthly Price |
|---|---|---|---|---|
| Private-3 | heroku-redis:private-3 |
500 MB | 400 | $150 |
| Private-5 | heroku-redis:private-5 |
750 MB | 700 | $250 |
| Private-7 | heroku-redis:private-7 |
7 GB | 10000 | $900 |
| Private-9 | heroku-redis:private-9 |
10 GB | 25000 | $1,750 |
| Private-10 | heroku-redis:private-10 |
25 GB | 40000 | $4,000 |
| Private-12 | heroku-redis:private-12 |
50 GB | 65000 | $7,500 |
| Private-14 | heroku-redis:private-14 |
100 GB | 65000 | $14,000 |
Shield Private Space Plans
In Shield Private Spaces, you can use the additional Shield Heroku Key-Value Store plans. These instances have strict connection requirements, prevent external connections, and require encrypted clients.
You must use a shield-tier plan of Heroku Key-Value Store in a Shield Private Space.
The shield tier is designed for production applications and includes:
- Region support
- Metrics published to the application log stream
- High availability
| Plan Name | Provisioning Name | Memory Limit | Connection Limit | Monthly Price |
|---|---|---|---|---|
| Shield-3 | heroku-redis:shield-3 |
500 MB | 400 | $210 |
| Shield-5 | heroku-redis:shield-5 |
750 MB | 700 | $350 |
| Shield-7 | heroku-redis:shield-7 |
7 GB | 10000 | $1,100 |
| Shield-9 | heroku-redis:shield-9 |
10 GB | 25000 | $2,100 |
| Shield-10 | heroku-redis:shield-10 |
25 GB | 40000 | $4,800 |
| Shield-12 | heroku-redis:shield-12 |
50 GB | 65000 | $9,000 |
| Shield-14 | heroku-redis:shield-14 |
100 GB | 65000 | $19,600 |
External Connections
Unlike the Heroku Key-Value Store instances in our premium tier, you can’t access private instances via a local computer. For access to a private KVS instance, you must use the available Heroku Key-Value Store CLI commands. This ensures that you have the correct authorization to connect to the instance across the isolated network boundary.
Using the CLI
The ability to connect to private instances is integrated directly into the Heroku CLI. All of the commands available for the premium tier are available for private instances.
For more information on the available CLI commands for Heroku Key-Value Store, see Managing Heroku Key-Value Store Using the CLI.
Migrating from a Premium KVS Plan to a Private KVS Plan
If you migrate an application from the Common Runtime into a Heroku Private Space, you can also migrate the data from a premium KVS instance to a private KVS instance.
In the event that an application is being migrated from the Common Runtime into a Heroku Private Space, the data from a premium KVS instance can also be migrated to a private KVS instance. This migration guide only applies to moving data from a premium Heroku Key-Value Store instance to a private Heroku Key-Value Store instance inside a Private Space.
It’s not possible to fork to a shield KVS plan.
1. Get the credentials of the Common Runtime instance
To begin the process, we need the credentials from the Heroku Key-Value Store instance running on the Common Runtime.
$ heroku redis:credentials REDIS_URL -a example-app
redis://h:pdx11111111@ec2-184-255-255-255.compute-1.amazonaws.com:7929
2. Prevent new instance updates
It’s important that no new data is written to your application on the source system during the migration process or it doesn’t get transferred to the new instance. To accomplish this, place your source app into maintenance mode. If you have scheduler jobs running as well, disable them.
Your application is unavailable starting at this point in the upgrade process.
$ heroku maintenance:on
Enabling maintenance mode for example-app... done
Maintenance mode doesn’t automatically scale down any dynos. You must scale down any web and non-web dynos to make sure that no connections are writing data to the instance.
$ heroku ps:scale worker=0
Scaling worker processes... done, now running 0
3. Provision the Private plan using a fork
Assuming that the application has been created inside the private space, you can provision the new private Heroku Key-Value Store plan using the --fork flag in conjunction with the Heroku Key-Value Store URI from step 1 of this process.
The addons:create example follows the syntax for Heroku CLI v9.0.0 or later. If you’re on v8.11.5 or earlier, use the command:
$ heroku addons:create heroku-redis:private-7 --fork=redis://h:pdx11111111@ec2-184-255-255-255.compute-1.amazonaws.com:7929 -a private-example-app
$ heroku addons:create heroku-redis:private-7 -a private-example-app -- --fork=redis://h:pdx11111111@ec2-184-255-255-255.compute-1.amazonaws.com:7929
Creating heroku-redis:private-7 on ⬢ private-example-app... $900/month
Your add-on should be available in a few minutes.
redis-rugged-22859 is being created in the background. The app will restart when complete...
Use heroku addons:info redis-rugged-22859 to check creation progress
Use heroku addons:docs heroku-redis to view documentation
4. Promote the forked instance
If you forked the KVS instance from an add-on that wasn’t the primary (it wasn’t the one with REDIS_URL config var), then skip this step. You can use the config var of the new add-on in your app.
For a fork of the primary KVS add-on, promote the forked instance to be the primary so that REDIS_URL points to this instance:
$ heroku redis:promote HEROKU_REDIS_CHARCOAL_URL
Promoting redis-rugged-22859 to HEROKU_REDIS_CHARCOAL_URL on example-app
5. Make the target application active
To resume normal application operation, scale any non-web dynos back to their original levels. If the application wasn’t previously using non-web dynos, skip this step in order to avoid scaling any dynos that you don’t need.
$ heroku ps:scale worker=1
Finally, turn off maintenance mode.
$ heroku maintenance:off
Your application is now receiving requests to your migrated KVS instance. This can be confirmed by running heroku redis:info. The instance denoted by REDIS_URL is considered the primary instance.
Steps to take after the migration
After upgrading your instance, deprovision the old instance so that you aren’t paying for an unused instance.
$ heroku addons:destroy HEROKU_REDIS_BLUE