Scalingo for PostgreSQL® Dedicated Resources

src/_posts/databases/postgresql/2000-01-01-dedicated-resources.md

@@ -0,0 +1,4 @@
+---
+nav: Dedicated Resources
+index: 3
+---

src/_posts/databases/postgresql/dedicated-resources/2000-01-01-getting-started.md

@@ -0,0 +1,4 @@
+---
+nav: Getting Started
+index: 1
+---

src/_posts/databases/postgresql/dedicated-resources/2000-01-01-guides.md

@@ -0,0 +1,4 @@
+---
+nav: Guides
+index: 2
+---

src/_posts/databases/postgresql/dedicated-resources/getting-started/2000-01-01-accessing.md

@@ -0,0 +1,106 @@
+---
+title: Accessing Your Scalingo for PostgreSQL® Dedicated Resources Database
+nav: Accessing
+modified_at: 2026-02-13 12:00:00
+tags: databases postgresql dedicated
+index: 3
+---
+
+
+Remotely accessing your Scalingo for PostgreSQL® database can sometimes be
+useful, for example, to conduct investigations, to check or compute data
+locally, to dump the database content,...
+
+
+## Using Third Party Tools
+
+While using `psql` to query and administer a PostgreSQL® database is probably
+the ubiquitous choice for a lot of users, it's not limited to that. The
+PostgreSQL® ecosystem indeed offers a very large panel of tools made and
+provided by third-parties. For example, some might feel more intuitive because
+of their Graphical User Interface. Some are better integrated with others
+tools, when some others are more data-visualization centric.
+
+By default, and for security reasons, your PostgreSQL® database is not directly
+accessible from the Internet and therefore not directly usable with your
+third-party tool.
+
+To access your database remotely you first need to [make it reachable over the
+Internet](#making-the-database-reachable-over-internet):
+- either locally, on your computer, via an [encrypted tunnel](#setting-up-an-encrypted-tunnel)
+- or from any location, by [enforcing TLS connection]({% post_url databases/postgresql/dedicated-resources/getting-started/2000-01-01-connecting %}#enforcing-tls-connection)
+  and [enabling direct Internet access](#enabling-direct-access-over-internet).
+
+Once a secured connection has been established, you should be able to connect
+to your database with your tool of choice. If you don't have one yet, we
+suggest you to [take a look at pgAdmin](#using-pgadmin).
+
+### Using pgAdmin
+
+pgAdmin is probably the most popular and feature rich administration and
+development platform for PostgreSQL®. It's open-source, it supports many
+platforms and comes with a Graphical User Interface, making it a reference tool
+for PostgreSQL®.
+
+
+## Allowing Access with Firewall Rules
+
+Dedicated Resources databases are protected by a deny-by-default firewall.
+To allow inbound connections, you must add explicit firewall rules for each
+trusted source.
+
+1. From your web browser, [open your database dashboard]({% post_url databases/postgresql/dedicated-resources/getting-started/2000-01-01-provisioning %}#accessing-the-scalingo-for-postgresql-dashboard)
+2. Select the **Settings** tab
+3. In the **Settings** submenu, select **Internet Access**
+4. In the **Firewall rules** block, click **New rule**
+5. Select the rule type:
+   - **Custom CIDR IPv4** to allow specific public IP addresses or ranges
+   - **Scalingo `<region>` region** to allow traffic from Scalingo apps in that region
+6. Repeat as needed for each trusted source
+7. Connect using the database [connection URI]({% post_url databases/postgresql/dedicated-resources/getting-started/2000-01-01-connecting %}#getting-the-connection-uri)
+
+### How the Firewall Works
+
+The firewall follows an allowlist model: you define allowed source networks
+with CIDR notation (single IPs or ranges), and only matching sources can reach
+the database endpoint.
+
+You can configure up to **30 firewall rules** per
+database, and rule changes usually propagate in around 2 minutes.
+
+Here are common CIDR formats you can use in firewall rules:
+
+- Single IP: `203.0.113.10/32` (`/32` means one exact IPv4 address)
+- IP range: `203.0.113.0/24` (`/24` means a subnet of 256 IPv4 addresses)
+- Allow all (not recommended): `0.0.0.0/0` (`/0` means all IPv4 addresses; this
+  effectively disables firewall filtering)
+
+### Allowing Scalingo Apps To Reach a Dedicated Resources Database
+
+If a Scalingo app must connect to a Dedicated Resources database, you need to 
+allow inbound connections from the app [region's egress IP addresses][egress].
+
+To keep the service simple and maintenance-free, Scalingo provides a
+**managed rule** type that automatically allowlists egress IPs for a region.
+
+Two managed rules are available:
+
+- `Scalingo osc-fr1 region`
+- `Scalingo osc-secnum-fr1 region`
+
+Workflow:
+
+1. Identify the app region (for example `osc-fr1` or `osc-secnum-fr1`).
+2. Add the matching **managed rule** in the Dedicated Resources firewall.
+3. Add custom CIDR rules only for additional non-Scalingo sources (office IPs,
+   VPN, etc.).
+
+A database in `osc-fr1` can accept traffic from an app in `osc-secnum-fr1` (and
+the other way around) as long as the corresponding managed rule is present.
+
+{% note %}
+With managed rules, Scalingo maintains the underlying egress IP list for you.
+You do not need to manually track egress IP changes for these rules.
+{% endnote %}
+
+[egress]: {% post_url platform/networking/public/2000-01-01-egress %}

src/_posts/databases/postgresql/dedicated-resources/getting-started/2000-01-01-connecting.md

@@ -0,0 +1,106 @@
+---
+title: Connecting Your Scalingo for PostgreSQL® Dedicated Resources Database
+nav: Connecting
+modified_at: 2026-02-13 12:00:00
+tags: databases postgresql dedicated
+index: 2
+---
+
+
+Each Scalingo for PostgreSQL® Dedicated Resources database has its own
+**connection URI**, containing all information needed to connect to it.
+
+
+## Understanding the Connection URI
+
+The connection URI is made of several **components** separated one from each
+other by a **delimiter**. For example, the `@` character is used to mark the
+end of the *userinfo* (credentials) component of the URI.
+
+In the case of PostgreSQL®, the connection URI provided by Scalingo is always
+formed as follows:
+
+```bash
+postgresql://[user]:[password]@[url]:[port]/[dbname]?sslmode=require
+```
+
+For more information about the connection URI syntax, please see
+[RFC 3986][rfc3986] which defines the URI Generic Syntax.
+
+
+## Using the Connection URI
+
+**We strongly advise to use one of the two environment variables available to
+connect your application to your database**. Please don't use the value, but
+the environment variable itself.
+
+While the value of the provided connection URI **should not** change over time,
+**we don't guarantee it**. For example, the URI could change for maintenance
+reasons. In such a case, using the environment variable guarantees that your
+application can restart successfully without human intervention. Otherwise, you
+would have to update your code with the new value and trigger a new deployment,
+which would most probably contribute to a greater downtime.
+
+In most cases, you can pass the environment variable directly to the client
+library you are using. But sometimes, the library requires a specific URI
+format, individual keypairs or another format. In such cases, your code
+needs to parse the connection URI to retrieve the different values and build
+what's required by the library. Our advice to use the environment variable
+still remains applicable.
+
+
+## Getting the Connection URI
+
+### Using the Dashboard
+
+1. From your web browser, open your [dashboard][database-dashboard]
+2. Locate the **Connect** section then copy its **Connection String**
+
+### Using the Command Line
+
+1. Make sure you have correctly [setup the Scalingo command line tool][cli]
+2. From the command line, list your databases:
+   ```bash
+   scalingo databases
+   ```
+3. Locate the `ID` of the database you would like to connect to
+4. From the command line, get the environment variable value:
+   ```bash
+   scalingo --database <database_ID> env-get SCALINGO_POSTGRESQL_URL
+   ```
+   The output is:
+   ```bash
+   postgresql://my_dedicate_wxyz:YANs3y07m5_KJC2MSDGebh8tx1lliFWh2Yb239zVqGQvbElWDjIN7QWspVH92Ul8@my-dedicate-wxyz.postgresql.a.osc-fr1.scalingo-dbs.com:31000/my_dedicate_wxyz?sslmode=require
+   ```
+
+
+## TLS Connections Are Enforced
+
+By default, all PostgreSQL® Dedicated Resources databases enforce TLS.
+Any non-TLS connection is denied. Consequently, your application must be
+configured to use TLS when connecting to the database.
+
+
+## Connecting Multiple Applications to the Same Database
+
+To share a database across multiple Scalingo applications, first make sure the
+Dedicated Resources firewall allows traffic from the application's region (see
+[Allowing Scalingo Apps to Reach a Dedicated Resources Database][dr-firewall-regions]).
+Then add the database connection string as an environment variable in each
+application that needs access.
+
+1. Copy [the connection URI](#getting-the-connection-uri) of your database instance
+2. [Create a new environment variable][environment] for the application that
+   needs to access the database
+3. Set the value of this new environment variable to connection URI you just
+   copied
+4. Restart the application to make the new environment variable available
+
+
+[rfc3986]: https://datatracker.ietf.org/doc/html/rfc3986
+
+[cli]: {% post_url tools/cli/2000-01-01-start %}
+[environment]: {% post_url platform/app/2000-01-01-environment %}
+[dr-firewall-regions]: {% post_url databases/about/2000-01-01-network-exposure %}#allowing-scalingo-apps-to-reach-a-dedicated-resources-database
+
+[database-dashboard]: {% post_url databases/postgresql/dedicated-resources/getting-started/2000-01-01-provisioning %}#accessing-the-scalingo-for-postgresql-dashboard