Postgres connections now work through Sandbox firewall
Vercel Sandbox now supports outbound connections to hosted Postgres databases such as Neon, Supabase, and AWS RDS by adapting its firewall to Postgres's TLS negotiation process. The update allows domain-based filtering without requiring changes to application code or database configurations. Users must ensure TLS is enabled, as domain policies rely on TLS handshake inspection.
- ▪Vercel Sandbox can now connect to hosted Postgres databases including Neon, Supabase, AWS RDS, Nile, and Prisma Postgres.
- ▪The Sandbox firewall detects Postgres's TLS upgrade sequence and applies domain policies after the TLS handshake.
- ▪Connections require sslmode=require or higher, and GSSAPI encryption with gssencmode=require is not supported.
- ▪If a client uses sslmode=prefer and the database doesn't support TLS, the connection will fail to prevent silent downgrades to plain text.
Opening excerpt (first ~120 words) tap to expand
2 min readCopy URLCopied to clipboard!May 1, 2026Vercel Sandbox can now connect to hosted Postgres databases, including Neon, Supabase, AWS RDS, Nile, and Prisma Postgres. To enable a connection, add the database host to your Sandbox's allowed domains.Link to headingBackgroundWhen SNI based filtering is used with Vercel Sandbox, the sandbox firewall restricts outbound network access by checking the domain name during a connection's TLS handshake. This works seamlessly for HTTPS traffic, where the domain is visible at the start of the connection.Postgres, however, negotiates TLS differently. A Postgres client first opens a plain TCP connection and then upgrades to TLS.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Vercel News.
