Fly Postgres - Peering

Hey everyone,

Looking for the best solution to get our Fly Postgres accessible by



I’d suggest the reverse tunnelling approach suggested here Tunnels | Hightouch Docs

You could run this inside a small Fly VM, on a minimal image, and it’ll open a connection from inside your private network to Hightouch. That should allow you to set it up as you would an externally accessible data source.

Thanks @sudhir.j - Not 100% sure what this looks like on fly side, would you have some best practices / dockerfile for setting something like this up?

Does the ssh command ssh -i path/to/key.pem -R$SERVICE_HOST:$SERVICE_PORT -p 49228 -o ExitOnForwardFailure=yes need to be possibly run on every start, and how do we make sure the ssh private key sticks around from boot to boot?

Thanks a ton!

I’d set up a dockerfile that copies the key in, then starts this as the run command. That way it’ll open the tunnel and stay open.

You’ll want to scale the tunnel app to just 1 VM, and set the region to the same region as the DB.

I can write up an example app / dockerfile tomorrow if that helps.

That would be a HUGE help!

This is sort of what I was thinking, let me give it a try, looking forward to your example!

Any suggest for best image to use for the dockerfile?

Thanks again

@dan.wetherald Here’s what I’d base an image off docker-ssh-tunnel/Dockerfile at master · cagataygurturk/docker-ssh-tunnel · GitHub

Can try it with this, and I’ll write up a guide / example in a bit.

If I am being completely honest, I am not sure which is which variables are which haha.

Also, this does not include anything with the key.pem file.

Can you help me out?

Yeah, I’ll post an example specific to Hightouch soon.

1 Like

Ah okay, yea I was taking this approach too literally haha

1 Like

Can try a file like

FROM alpine:3.2

RUN apk add --update openssh-client && rm -rf /var/cache/apk/*
ADD ./key.pem key.pem
CMD ssh -I key.pem \
    -R$SERVICE_HOST:$SERVICE_PORT \ -p 49100 \
    -o ExitOnForwardFailure=yes

with SERVICE_HOST set to the database app, like dbapp.internal
and SERVICE_PORT set to 5432 or 5433 if you’re pointing it at a read replica.

1 Like

So I have it “working” but its using the release step and that will just hang forever and never “deploy”.

For some reason I get errors when trying to get this working with everything in the CMD of the dockerfile.

latest Dockerfile:

FROM alpine:latest

RUN apk add --update openssh-client && rm -rf /var/cache/apk/*

COPY key.pem .

CMD rm -rf /root/.ssh && mkdir -p /root/.ssh && cp -R /root/ssh/* /root/.ssh/ && chmod -R 600 /root/.ssh/*

EXPOSE 1-65535

I’ve just posted and example as you posted this :smiley: Fly Postgres - Peering - #10 by sudhir.j

This reference was accepting a tunnel, you want to establish one in reverse, so the commands are different, and there’s no port exposed.

1 Like

I believe that last Dockerfile worked!!! :tada::tada::tada::tada::tada::tada::tada::tada:

Thank you so much @sudhir.j - this was a pain in the ass haha.

1 Like

Nice! Just remember to prefer a read replica for this, run the tunnel app in the same region you’re running the DB, etc. Otherwise things can slow down in a lot of cases.

Absolutely! Another awesome part of fly postgres, read replicas :raised_hands:t2:.

Just ran into the next issue lol - no SSL Mode settings at hightouch

The server does not support SSL connections

Any ideas?

You’re seeing this in the log output of the tunnelling container? Or when Hightouch is trying to connect to the DB?

On hightouch side, meaning they have no config for ssl mode.

Yeah, I think you’ll want to turn OFF SSL mode on Hightouch. The tunnel app to DB is protected internally by Fly’s networking, and the tunnel to Hightouch is also encrypted with the key you have at key.pem. The connection from Hightouch to the DB doesn’t need SSL, and you’ll want to disable that.

Yup, problem is its not a setting on their dashboard, chatting with their support now :confused:

1 Like

Okay, they were able to add a SSL Mode flag for me :raised_hands:t2:

1 Like