8 months ago
I am able to connect to my Railway Postgres db via the public url from any IP address. Is there a way to create an IP address allow list so it can be locked down?
Pinned Solution
8 months ago
Railway does not currently support IP-based access control for inbound connections to PostgreSQL instances. A potential solution could involve using a private network setup or configuring a firewall at the application level to restrict access.
8 Replies
8 months ago
Railway does not currently support IP-based access control for inbound connections to PostgreSQL instances. A potential solution could involve using a private network setup or configuring a firewall at the application level to restrict access.
noahd
Railway does not currently support IP-based access control for inbound connections to PostgreSQL instances. A potential solution could involve using a private network setup or configuring a firewall at the application level to restrict access.
8 months ago
Thanks for the info. Can you tell me more about the private network setup or firewall?
I have a web server running that connects to the database through the Railway internal network. That same db is exposed to the public internet via a proxy. I like that I can connect to the db from my computer, but having it totally open to connections is too much of a security gap. The better way would be either:
1. SSH tunnel to connect to the database from inside the private network
2. Only allow incoming connections from an allow list of IP addresses
Do you think either of those setups would be possible with Railway? The server needs to be accessible on the internet, so I don't think I can put the whole application behind a firewall.
8 months ago
For the first one.
I'm generally unsure as to why you would want to go through that as the public one does exist. Its a layer of abstraction that I think is mostly unneeded.
I suggest for keeping it secure frequently swap the password and dont share any of the information to anybody. Its just a password and should be treated as such.
That being said, I see a post saying: "If you want to completely remove public access to your database, remove the TCP proxy domain instead." so that is a solution.
For the second, as I said you cant restrict IP-based access currently. I dont have a solid answer on the private network as I havent done it personally. Worth investigating and looking around to see if people have done so.
8 months ago
If I were to be doing this I would based on needing to access remove and add the TCP proxy as needed.
8 months ago
Great, so If I remove the TCP proxy, is there any way to tunnel into the private network to access the db from my computer?
ettenger
Great, so If I remove the TCP proxy, is there any way to tunnel into the private network to access the db from my computer?
8 months ago
https://docs.railway.com/reference/private-networking
I dont think that with private networks you can connect from the outside in.
Unless you set up some custom TCP or api with another app that is on that private network.
8 months ago
Thanks for all the info. In summary:
1. There is no IP-based access control for inbound connections to PostgreSQL instances
2. It is possible to remove the TCP proxy so only machines on the Railway internal network can access it
3. There is no way to tunnel into that internal network
4. As a workaround, you could toggle on and off the TCP proxy as needed to access the db
8 months ago
Maybe use cloudflare tunnels to the private network/machine?
Status changed to Solved brody • 8 months ago