Heroku Private Spaces

Last updated December 12, 2024

Private Spaces are available only in Heroku Teams and Heroku Enterprise. To learn more about Heroku Enterprise, contact Heroku.

Private Spaces are dedicated environments for running dynos and certain types of add-ons within an isolated network. They enable you to build and run Heroku apps that meet strict requirements for data protection and change control.

There are two generations of the Heroku platform, Cedar, the legacy platform, and Fir, the future of Heroku. This article describes the features and benefits of Private Spaces for both generations.

The Fir generation of Private Spaces is currently in pilot. If you’re interested in participating, reach out to your Heroku Account Executive or sign up for the pilot here.

Use Cases and Benefits

  • Control Access at The Network Level: Organizations needing to enforce strict security policies can leverage Private Spaces for sensitive applications by implementing custom network rules. Control access to apps in a space at the network level.
  • Secure Communications: Outbound requests from apps in a space originate from a set of stable IP addresses. Allowlist them with your on-premise services and other networks to securely communicate with them.
  • Regulatory Compliance: Organizations in regulated industries, like finance or healthcare, can use spaces to meet compliance requirements by ensuring data isolation and enhanced security.
  • Performance Optimization: With isolated resources, Private Space applications can achieve consistent performance, avoiding “noisy neighbor” issues that can occur in shared environments.
  • Internal Tools and APIs: Host internal applications or APIs in spaces, ensuring that sensitive data does not traverse the public internet.

You can deploy to Private Spaces with the familiar git push heroku main command or take full advantage of Heroku Pipelines. The powerful governance and security features provided by Private Spaces don’t change the standard Heroku developer experience.

Features

Fir Private Spaces

The spaces in the Fir generation of the Heroku platform have the following features.

Private Space Router

The routers in Private Spaces have a slightly different behavior to the routers found in the Common Runtime. Check out Routing in Private Spaces for the differences.

Stable Outbound IP Addresses

All outbound traffic from apps in a Private Space originate from a small, stable list of IP addresses dedicated to the space. You can use lists of allowed IPs to secure services being accessed by apps in the space.

For example, you can configure a web services gateway in your corporate data center to only allow access from the IP addresses assigned to the space. By using this in combination with TLS and application level authentication tokens, you get an extra level of security for protecting resources in your corporate data center.

All team members can view the list of stable outbound IP addresses for a space. See View Outbound IPs for more info.

App Availability

We provision dynos via round robin in one of three availability zones (AZ) associated with a space.

If your app requires high availability, we suggest that you scale up your dyno formation to a minimum of 3 dynos for each process type, in the unlikely scenario of an AZ failure.

If an AZ becomes unhealthy or unavailable, we automatically reschedule your dyno on a working AZ. When the unhealthy AZ returns to a healthy state, we automatically redistribute your dynos.

Rolling Deploys with Zero Downtime

Rolling deploys are analogous to Preboot on the Common Runtime. Both enable zero downtime during new releases. Rolling deploys stop and change only up to 25% of the existing dynos at a time, while the remaining dynos handle requests and tasks. See Rolling Deploys for more info.

Add-ons

You can use Heroku add-ons for apps in your spaces. To view which add-ons are available in a region, go to the Add-on Runtime Availability. Select the Private Spaces tab to view information for Private Spaces regions. See Add-ons and Private Spaces for more info.

Additional Features for Cedar Private Spaces

In addition to the features listed for the spaces in the Fir generation of the Heroku platform, the spaces in the Cedar generation have the following features.

Internal Routing

In Private Spaces, you can choose to create apps with internal routing. Unlike other apps, apps with Internal Routing can’t receive external web traffic to their web process type. It can only receive web traffic from other apps in the same space, or software running in VPC-peered or VPN-connected networks.

DNS Service Discovery

Processes running in Heroku Private Spaces can communicate with one another by using DNS to obtain the IP address of other dynos in the same space.DNS Service Discovery makes it easy to create and deploy microservices.

Trusted IP Ranges

Use trusted IP ranges to restrict traffic to apps that come from your corporate network or from a CDN service that proxies traffic for your apps.

Only clients originating from one of these trusted IP ranges can access web processes running in the Private Space. See Trusted IP Ranges for Private Spaces for more info.

VPN Connection

Heroku Private Spaces and Shield Spaces can configure a connection to another private network using IPSec VPN. This VPN connection lets dynos connect to hosts on your private networks and vice versa. Connections are established over the public Internet, but all traffic is encrypted using IPSec.

VPC Peering

Private Space Peering enables you to establish a private network connection between dynos running in a Heroku Private Space and an AWS VPC you control. This connection doesn’t traverse the public Internet.

Additional Features for Shield Spaces

See Shield Private Spaces for more info.

Types of Spaces

There are two types of spaces: standard Private Spaces and Shield Private Spaces.

Private Spaces are available for both generations of the Heroku platform, while Shield Private Spaces is only available for Cedar.

Shield spaces include additional features for building and running high-compliance applications. See the Shield Private Space article for details on features.

Private Space Regions

You can create spaces in different regions, allowing you to deploy apps closest to your end users. See Regions for the full list.

Private Space Provisioning

Only team administrators can create, destroy, or modify Private Spaces. All team members can view details about Private Spaces in the team. See Working with Private Spaces for more info.

Apps in Private Spaces

Private Spaces have a trust boundary within which your team can deploy and manage apps that handle sensitive data. The ability to create apps in a space is constrained to team administrators and users with the app creation permission for the space. See Managing Apps in Private Spaces: Granting Permissions for more info.

Transferring a Private Space

See Working with Private Spaces to learn how to transfer spaces.

Default Limits

The Private Spaces runtime is built on a different architecture than the Common Runtime, so spaces have different default limits. See Default Private Spaces Limits for more info.

Additional Reading

Feedback

Log in to submit feedback.