External managed db

The source IPs will likely change, they’re not reliable for IP allow lists.

The best way to secure a DB between providers is to use something like wireguard to peer two private networks. The second best way is TLS client certificates (mTLS). I think most places will do mTLS.

You can’t run a replica on another provider, but you can run a primary on some (like Crunchy Bridge) and then replicas on Fly.io.

1 Like