--- title: "Postgres connections now work through Sandbox firewall" source_name: "Vercel News" original_url: "https://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections" canonical_url: "https://www.traeai.com/articles/1ea45a8b-6dfd-433e-85c0-6fc8b108cd99" content_type: "article" language: "中文" score: 8.7 tags: ["Vercel","PostgreSQL","Sandbox","Firewall","TLS"] published_at: "2026-05-01T02:00:00+00:00" created_at: "2026-05-01T23:11:04.534272+00:00" --- # Postgres connections now work through Sandbox firewall Canonical URL: https://www.traeai.com/articles/1ea45a8b-6dfd-433e-85c0-6fc8b108cd99 Original source: https://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections ## Summary Vercel Sandbox 火墙现已支持 Postgres 数据库连接,通过识别其 TLS 升级流程实现域名策略动态应用,无需修改代码或数据库配置。 ## Key Takeaways - Sandbox 火墙原不支持 Postgres 因其 TLS 协商发生在 TCP 连接建立后,域名不可见 - 新机制在检测到 Postgres 协议启动序列后延迟应用域名策略,待 TLS 升级完成再校验 - 支持 Neon、Supabase、AWS RDS 等主流托管 Postgres 服务,只需将数据库 host 加入允许域名列表 ## Content Title: Postgres connections now work through Sandbox firewall - Vercel – Vercel URL Source: http://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections Markdown Content: 2 min read May 1, 2026 [Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) can now connect to hosted Postgres databases, including [Neon](https://www.vercel.com/marketplace/neon), [Supabase](https://www.vercel.com/marketplace/supabase), [AWS RDS](https://www.vercel.com/marketplace/aws), [Nile](https://www.vercel.com/marketplace/nile), and [Prisma Postgres](https://www.vercel.com/marketplace/nile). To enable a connection, add the database host to your Sandbox's allowed domains. ## [Link to heading](http://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections#background)Background When [SNI based filtering](https://vercel.com/docs/vercel-sandbox/concepts/firewall) is used with Vercel Sandbox, the sandbox firewall restricts outbound network access by checking the domain name during a connection's TLS handshake. This works seamlessly for HTTPS traffic, where the domain is visible at the start of the connection. Postgres, however, negotiates TLS differently. A Postgres client first opens a plain TCP connection and _then_ upgrades to TLS. Because the domain isn't available when the firewall first needs it, Postgres connections through a standard domain-restricted Sandbox would fail. ## [Link to heading](http://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections#what-changed)What changed The Sandbox firewall now adjusts for the Postgres TLS negotiation flow. It detects the protocol's startup sequence, waits for the TLS upgrade, and then applies your domain policy before forwarding the connection to the database. No changes are needed to your code or database configuration. ## [Link to heading](http://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections#connecting-to-hosted-database)Connecting to hosted database Here's a full example: create a Sandbox, install a Postgres client, lock down the network to only the database host, and run a query. `import { Sandbox } from '@vercel/sandbox';const { PGHOST, PGUSER, PGPASSWORD, PGDATABASE } = process.env;const connectionString = `postgres://${PGUSER}:${PGPASSWORD}@${PGHOST}:5432/${PGDATABASE}?sslmode=require`;// Start with unrestricted network access to install dependencies.const sandbox = await Sandbox.create();await sandbox.runCommand({ cmd: 'sudo', args: ['dnf', 'install', '-y', 'postgresql15'],});// Lock the sandbox down to only the database host before running untrusted code.await sandbox.updateNetworkPolicy({ allowDomains: [PGHOST!],});const result = await sandbox.runCommand({ cmd: 'psql', args: [connectionString, '-c', 'SELECT now();'],});console.log(await result.stdout());` ## [Link to heading](http://vercel.com/changelog/vercel-sandbox-firewall-now-supports-postgres-connections#important-to-know)Important to know * **TLS is required:**Domain-based rules rely on the hostname being visible during the TLS handshake, so clients must connect with `sslmode=require` or higher. If your database doesn't support TLS, you can allow it by [IP range](https://www.vercel.com/docs/vercel-sandbox/concepts/firewall#user-defined) instead. Most managed Postgres providers require TLS by default. * **GSSAPI encryption is not supported:**Clients using `gssencmode=prefer` will fall back to TLS automatically; `gssencmode=require`will not connect. * **No silent downgrades:**If a client uses `sslmode=prefer` and the database doesn't support TLS, the connection will fail rather than silently falling back to plain-text. Learn more about the [Sandbox firewall](https://vercel.com/docs/vercel-sandbox/concepts/firewall).