Dear DigitalOcean Support Team,
I am planning to set up two separate droplets on DigitalOcean and need guidance on connecting them securely:
- Droplet 1: Django application
- Droplet 2: PostgreSQL database
I want the Django app to connect to the PostgreSQL database on the other droplet. Could you please provide guidance or best practices on:
- Configuring PostgreSQL for remote access between droplets
- Firewall and security recommendations
- Any DigitalOcean-specific settings to allow smooth and secure connectivity
I would appreciate any sample configurations or documentation links that can help me set this up efficiently.
Thank you for your support.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi there,
The cleanest way to do this on DigitalOcean is to treat both Droplets as part of the same VPC and keep PostgreSQL off the public internet:
When you create the Droplets, make sure they are in the same region and the same VPC. Use the database droplet’s private IP in your Django DATABASES settings, not the public one. This keeps traffic internal and free.
On the PostgreSQL droplet, update postgresql.conf so listen_addresses includes the private IP (or * if you know you will firewall it properly), and add a rule in pg_hba.conf that allows connections from the app droplet’s private IP or VPC range. Then restart PostgreSQL:
https://www.digitalocean.com/community/questions/remote-access-to-postgresql-with-pgadmin
For security, lock things down in two places:
-
Use a DigitalOcean Cloud Firewall to only allow port 5432 from the Django droplet’s private IP (and SSH from your own IP). Private networking is not a firewall, you still need rules on top: https://docs.digitalocean.com/products/networking/firewalls/
-
Also configure UFW or iptables on the database droplet itself so only the app droplet can reach 5432: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
If you do not want to maintain PostgreSQL yourself, the easier and safer option is to use a DigitalOcean Managed PostgreSQL database instead of a database Droplet:
https://docs.digitalocean.com/products/databases/postgresql/
You then just add your app Droplet as a trusted source and connect over the VPC private hostname, which handles SSL and hardening for you.
So basically: same VPC, private IP in Django, tighten pg_hba.conf and firewall rules, and consider Managed PostgreSQL if you want less admin work.
Heya, @63d96fdffdb14f1e98359b4c72c847
You can put both droplets (Django app and PostgreSQL) in the same VPC and region. Then use the PostgreSQL droplet’s private VPC IP as HOST in your Django DATABASES settings. On the PostgreSQL server, allow connections only on that private IP and open port 5432 only to the app droplet (via Cloud Firewall and/or UFW).
That way, all DB traffic stays on the private VPC network (never touches the public internet), and only your Django droplet can reach the database.
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.