Vercel Sandbox Firewall Enables Postgres Connections
Vercel Sandbox now supports outbound Postgres connections to hosted DBs like Neon and Supabase by detecting TLS upgrades during negotiation—no code changes required, just add DB host to allowed domains.
Adapting Firewall for Postgres TLS Negotiation
Standard SNI-based filtering in Vercel Sandbox blocks Postgres because clients open plain TCP first, then upgrade to TLS—hiding the domain name initially. The updated firewall detects Postgres startup sequence, waits for TLS handshake to reveal the hostname, then applies domain policy to forward connections securely. This enables connections to managed providers like Neon, Supabase, AWS RDS, Nile, and Prisma Postgres without altering code or DB configs.
Secure Connection Workflow
Start Sandbox with open access to install deps (e.g., sudo dnf install -y postgresql15), then lock to DB host via sandbox.updateNetworkPolicy({ allowDomains: [PGHOST] }). Query with psql using connection string postgres://${PGUSER}:${PGPASSWORD}@${PGHOST}:5432/${PGDATABASE}?sslmode=require:
import { Sandbox } from '@vercel/sandbox';
const { PGHOST, PGUSER, PGPASSWORD, PGDATABASE } = process.env;
const connectionString = `postgres://${PGUSER}:${PGPASSWORD}@${PGHOST}:5432/${PGDATABASE}?sslmode=require`;
const sandbox = await Sandbox.create();
await sandbox.runCommand({
cmd: 'sudo',
args: ['dnf', 'install', '-y', 'postgresql15'],
});
await sandbox.updateNetworkPolicy({
allowDomains: [PGHOST!],
});
const result = await sandbox.runCommand({
cmd: 'psql',
args: [connectionString, '-c', 'SELECT now();'],
});
console.log(await result.stdout());
This isolates untrusted code while allowing DB access.
TLS Mandates and Limitations
Require sslmode=require or higher for hostname visibility; non-TLS DBs need IP-range allowances. GSSAPI gssencmode=prefer falls back to TLS, but gssencmode=require fails. sslmode=prefer rejects non-TLS servers outright, preventing plaintext downgrades. Use IP rules for unsupported TLS setups.