Skip to Content
Use CasesSecure Database Access

Secure Database Access

Your database should never have a public IP. With Rabtly, it doesn’t need one — and only the app servers you name can reach it.

The problem

A managed database with a public endpoint is a standing risk: misconfigured security groups, leaked credentials, and automated scanners all target it. Locking it to specific source IPs breaks the moment an app server’s IP changes or autoscaling adds new ones.

How Rabtly helps

  • Private-only — the database is reachable solely via its Rabtly IP. There’s no public endpoint to scan or leak.
  • Explicit allow-list by group — only the app group reaches the database group, and you can restrict it to just the Postgres/MySQL port.
  • Stable across scaling — new app servers join the app group and inherit access; no IP allow-lists to maintain.

How it works

Put the database on Rabtly

Install the daemon on the database host (or its bastion) so it has a private Rabtly IP, and remove any public exposure.

Group your app servers and database

Create an app group and a database group; place the relevant hosts in each.

Allow app → database on the DB port only

Add a one-way rule from app to database restricted to tcp/5432 (Postgres) or tcp/3306 (MySQL). Nothing else can connect.

Next steps

Control who can access what →Access control hands-on demo →
Team CollaborationIoT & Edge Devices