Public URL / IP for Postgres Cluster

Hey there,

@kurt suggested me to post this Question here.
We are currently looking into for our next migration of our Production Platform. Currently we are already testing apps for GraphQL and long-lived docker containers. It looks very promising for now.

We are also looking into the PostgreSQL Cluster solution, a main blocker for us ist, that we do need to use it with additional Servers and Tools outside of, which do not have any possibility to open an Wireguard Tunnel.

As far as I could tell, the documentation only shows internal connection parameters, however we would need a public external URL or Anycast IP to connect to the PostgreSQL Cluster. It should still have the advantages of connected to the nearest read instance.

Is this even possible, planned to come or do you not suggest to use Fly’s PostgreSQL Cluster if it needs to be used with Servers outside of Fly.


This is doable! One thing to keep in mind is that our postgres clusters expose two ports:

  1. Port 5432 is a proxy that always connects you to the primary writable node
  2. Port 5433 is direct to postgres, and will work for read replicas

You can expose both of these publicly a couple of ways. What kind of apps are you connecting from? If it’s something like a FaaS you’ll want to do this with pgbouncer or pgpool, if it’s just external admin tools there might be a simpler way.

1 Like

We do have FaaS Providers and IDE/Admin Tools running on Client Devices, but also regular VMs in the Cloud, needing to connect to the Cluster.

That said, if connecting to the read replicas on 5433, we do need to connect on the publicly always to the nearest one, without knowing the region of it.
So that must be taken in consideration for a way.

I hope you guys don’t mind me chiming in.

I am facing a similar scenario, where I’d like to expose a postgres database server externally to a third party reporting tool (

I think setting up pgpool or pgbouncer might be overkill for my use case. I wonder @kurt if you could elaborate a bit more on those simpler ways of doing it. It pretty fits the external admin tool scenario.

For context, I am helping one of my clients automating their business operations. Even though we are not going global or anything like that, it’d be just great if I didn’t had to manage all the server side configs with ansible and a VPS. :slight_smile:

I wonder whether I should add the following section to the fly.toml in my postgres-ha clone.

    handlers = ["tls"]
    port = "5432"

Hey, @vicente.reig,

I apologize for the delayed response!

So there’s two things you will need to do.

  1. Specify your internal port and protocol.
  internal_port = 5432
  protocol = "tcp"
  1. Specify the external port and handler.
# For secure connections
 handlers = ["tls"]
 port = 443

# For insecure connections. 
 handlers = []
 port = 10000

Here’s a link to our configuration docs for more information:

I hope that helps!

1 Like

Very appreciated, @shaun. Thank you for the snippet! :slight_smile:

@vicente.reig did you get anywhere with this? I’ve managed to set up external connections using the above approach but the tool we’re using (Mode) only allows encrypted connections, which I can’t seem to get working.

Did you manage anything without needing to resort to pgbouncer?

Hey @harry, I was able to set it up with Metabase. It’s pretty standard/lean 1-instance Postgres setup, so I’m using plain connections from the reporting tool.

OK, thanks. Yeah, we use Mode which enforces SSL for the DB connections, which is a bit of an issue.

Do you self-host Metabase? I guess that would get around the public host stuff entirely if it’s running inside the private network.