The source IPs will likely change, they’re not reliable for IP allow lists.
The best way to secure a DB between providers is to use something like wireguard to peer two private networks. The second best way is TLS client certificates (mTLS). I think most places will do mTLS.
You can’t run a replica on another provider, but you can run a primary on some (like Crunchy Bridge) and then replicas on Fly.io.