External managed db

Hi all,
I want to use an external managed db service in the same region of my fly app, but have a few questions:

  • Is it okay to make it publicly accessible but restrict ip to the fly ip address of my service? Any downsides of doing this? (This would be the ip that I add in the dns)
  • Could I maybe use the managed db service as a backup sync replica type thing (keep fly as the primary, but just use the managed db to make backups/restores easily)

Absolutely love fly, but databases are hard (and critical at the same time :sweat_smile:)

Just realised that maybe I could use a machine IP as a whitelisted source for my database? I think this would be great right since it wouldn’t change for a particular app?

The source IPs will likely change, they’re not reliable for IP allow lists.

The best way to secure a DB between providers is to use something like wireguard to peer two private networks. The second best way is TLS client certificates (mTLS). I think most places will do mTLS.

You can’t run a replica on another provider, but you can run a primary on some (like Crunchy Bridge) and then replicas on Fly.io.

1 Like

We (Crunchy Bridge) are actively working on a turnkey wireguard integration, no clear timeline on it being available, but hopefully it’s not too distant future.

As for a replica from Crunchy Bridge to fly.io we actually could absolutely support that following these steps.

2 Likes

@kurt could you please elaborate why wireguard is better than mTLS?

AFAIK it would require a bastion instance to resolve wireguard connection to postgres. Which feels more moving parts and more potential points of failure comparing to client certificates

Not kurt, but see this twitter thread by colmmacc (distinguished eng at aws) and the subsequent discussion that triggered on news.yc.

2 Likes