On our cluster we had the database.postgresql.deny_public_access setting set to TRUE for security purposes.
When using the container mode for private databases, everything in our application was working fine.
However, when we tried to deploy a private database in managed mode (AWS RDS) it was no longer able to connect with the following error: Error connecting to postgresql://user:pass@database-url:5432/postgres.
Then we set database.postgresql.deny_public_access to FALSE and the application is able to connect.
How are we supposed to connect our application to a private, managed database while denying public access to the database? Thanks.
Qovery provides some environment variables to let you connect to your database:
QOVERY_*_DATABASE_URL can be used when the database is exposed publicly
QOVERY_*_DATABASE_URL_INTERNAL should be used when the database is private
By curiosity, are you using the environment variable QOVERY_*_DATABASE_URL_INTERNAL to connect to your database ?
Otherwise, can you share your environment link to let us dig more into this issue ?
We are using DATABASE_URL_INTERNAL and I DM’ed you my env link (wasn’t sure if it was safe to post here).
Part of my question/concern I guess I should elaborate on is that we have a security issue where even though that specific database is marked as private, the qovery-eks-workers security group still has a rule of CIDR/IP - Inbound 0.0.0.0/0. I am wondering what I can set database.postgresql.allowed_cidrs so that the appropriate application inside of the cluster can still access a “private” managed database.
Ok after some investigation it seems that we have an issue on our side, the CIDR option is not taken in account.
We are on it and get back to you once this is resolved.
It appears that setting database.postgresql.allowed_cidrs to the Custom VPC subnet created in the corresponding Cluster does the trick, IFdatabase.postgresql.deny_public_access is set to FALSE. Ideally I would like to restrict it further to only the necessary K8s services that require access to the database (through a security group), but this definitely seems to be an improvement from allowing all Source IPs. Additionally, we can set all databases to private, but it would also be nice to be able to deny public access across the whole cluster by default.