Skip to main content
Most production databases block inbound traffic by default. For the Postgres-to-Postgres live release, MantrixFlow connects to databases from one static outbound IP address. Add that IP to your provider firewall or allowlist so only MantrixFlow can reach PostgreSQL port 5432.

Supported now

The supported private access path for this release is: 
MantrixFlow ELT static IP -> provider firewall / allowlist -> PostgreSQL public endpoint
This works when the database has a public PostgreSQL endpoint and the provider lets you restrict access to specific IP addresses or CIDR ranges.

Not supported yet

These private-network patterns are planned for later releases:
  • SSH tunnel through a bastion host
  • self-hosted ELT agent inside your VPC
  • VPN-only or private-link-only access
  • databases with no public PostgreSQL endpoint
If your database is private-only, keep using a test/public reporting replica for the first launch and contact MantrixFlow before moving the production private database.

Copy the MantrixFlow IP

In the PostgreSQL connection form, open Private database access and copy the CIDR shown in the panel: 
<mantrixflow-static-ip>/32
Use /32 so the rule allows exactly one IPv4 address. Restrict the rule to PostgreSQL port 5432; do not allow all ports or 0.0.0.0/0.

Provider quick setup

ProviderWhere to add MantrixFlow’s IP
AWS RDS / Aurora PostgreSQLVPC security group attached to the DB instance: inbound PostgreSQL 5432 from MantrixFlow’s /32. See AWS RDS security groups.
GCP Cloud SQL for PostgreSQLCloud SQL instance Connections page: add MantrixFlow’s /32 to Authorized networks. See Google authorized networks.
Azure Database for PostgreSQLServer Networking page: add a firewall rule with start IP and end IP equal to MantrixFlow’s IP. See Azure firewall rules.
SupabaseDatabase Settings -> Network Restrictions: add MantrixFlow’s /32 if restrictions are enabled. See Supabase Network Restrictions.
NeonProject Settings -> IP Allow, or neon ip-allow add, when IP Allow is enabled for the project. See Neon IP Allow.
Aiven for PostgreSQLService settings -> IP address allowlist / IP filter. See Aiven access restrictions.
DigitalOcean Managed PostgreSQLDatabase cluster -> Network Access -> Trusted sources. See DigitalOcean trusted sources.
Render PostgresDatabase Info -> Networking: restrict external access to MantrixFlow’s IP if you enable restrictions. See Render Postgres networking.

Validation

After adding the rule:
  1. Wait a few minutes for the provider firewall change to apply.
  2. Return to MantrixFlow and click Test Connection.
  3. If the test times out, re-check the provider public endpoint and allowlist.
  4. If the test authenticates but fails with permissions, update the database user grants.

Security checklist

  • Use a dedicated database user for MantrixFlow.
  • Use /32, not a broad subnet.
  • Restrict to port 5432.
  • Keep SSL enabled for managed PostgreSQL providers.
  • Name the provider firewall rule clearly, such as MantrixFlow ELT.
  • Remove the rule if you stop using the connection.