Vercel

Vercel Sandbox Now Supports Secure Connections to Hosted Postgres Databases


Executive Summary

Vercel has updated its Sandbox product to allow secure, domain-based connections to external hosted Postgres databases. The Sandbox firewall has been enhanced to intelligently handle the unique TLS negotiation protocol used by Postgres, which previously prevented such connections. This update enables developers to connect their sandboxed environments to services like Neon, Supabase, and AWS RDS by simply adding the database host to an allowlist, requiring no changes to existing application code.

Key Takeaways

* Direct Postgres Connectivity: Vercel Sandbox can now connect to popular hosted Postgres providers, including Neon, Supabase, AWS RDS, Nile, and Prisma Postgres.

* Intelligent Firewall: The Sandbox firewall now detects the Postgres startup sequence and waits for the TLS upgrade before applying domain-based network policies, resolving a previous technical limitation.

* Simple Configuration: To enable a connection, users add their database host to the Sandbox's `allowDomains` network policy.

* TLS Required: This feature relies on the TLS handshake to identify the domain, so database connections must use `sslmode=require` or higher.

* No Silent Downgrades: If a client attempts to connect with `sslmode=prefer` to a database that doesn't support TLS, the connection will fail rather than silently falling back to an insecure plain-text connection.

Strategic Importance

This update removes a key networking limitation, significantly expanding Vercel Sandbox's utility for developers building and testing full-stack applications that rely on secure database access.

Original article