Description:

Currently, the TCP proxy on PostgreSQL HA (HAProxy) service cannot be disabled and automatically re-establishes on every deployment. This prevents users from restricting database access to internal networks only.

Why this matters:

• Security best practice: databases should not be publicly accessible unless explicitly required
• Many users deploy databases in the same project as their applications and have no need for public access
• The inability to disable public networking increases the attack surface

Requested feature: Add an option to permanently disable the TCP proxy on HA clusters, allowing databases to be accessible only via private network (.railway.internal).

Current workaround: Users must rely solely on authentication credentials to protect publicly exposed databases, which is less secure than network isolation.