Network Security
IP Allowlisting
By default, a new service rejects all inbound connections. You must explicitly allow your IP ranges before any client can connect.
Add allowed CIDRs
curl -u admin:password -X PATCH \
https://api.foundrydb.com/managed-services/{id} \
-H "Content-Type: application/json" \
-d '{"allowed_cidrs": ["203.0.113.10/32", "10.0.0.0/8"]}'
View current allowed CIDRs
curl -u admin:password https://api.foundrydb.com/managed-services/{id} \
| jq '.allowed_cidrs'
Remove access
To remove all external access (e.g. after maintenance):
curl -u admin:password -X PATCH \
https://api.foundrydb.com/managed-services/{id} \
-H "Content-Type: application/json" \
-d '{"allowed_cidrs": []}'
CIDR Recommendations
| Scenario | CIDR |
|---|---|
| Single server | 203.0.113.10/32 |
| Office network | 203.0.113.0/24 |
| VPC / private network | 10.0.0.0/8 or tighter subnet |
| CI/CD (static IP) | 203.0.113.100/32 |
Avoid 0.0.0.0/0 unless you are behind a separate firewall or gateway.
DNS
Every service gets a fully qualified domain name:
{service-name}.{region}.foundrydb.com
Replicas are addressable individually:
{service-name}-replica-1.{region}.foundrydb.com
DNS is automatically updated during failover — you do not need to change connection strings when a replica is promoted.
Ports
Only the database port (or ports) for the selected engine are exposed. No SSH, admin UIs, or management APIs are reachable from the internet.
| Engine | Exposed ports |
|---|---|
| PostgreSQL | 5432, 5433 (PgBouncer) |
| MySQL | 3306, 6033 (ProxySQL) |
| MongoDB | 27017 |
| Valkey | 6379 (non-TLS), 6380 (TLS) |
| Kafka | 9093 |
| OpenSearch | 9200 |
| SQL Server (Babelfish) | 1433, 5432 |
Network Isolation
Each service runs on a dedicated virtual machine. Services in your account do not share compute or storage with other customers. Network-level isolation is enforced at the hypervisor.