Connect to PostgreSQL
This guide covers everything about reaching your PostgreSQL database in Zerops: connection details, ports and TLS, connection pooling, connecting from other services or from your workstation, and the database tools you can use.
Connection options at a glance
- Internal: between services in the same project, over the private network.
- Remote: from outside Zerops, either through the VPN (your machine joins the private network) or through public IP access (TLS through pgBouncer).
Connection details
Find your connection details in the service detail page under Peek access details (hostname, port, user, password, connection string). The full list of connection-related environment variables lives under Environment variables in the same service detail.
Connection parameters
| Parameter | Internal | Public IP (TLS) | Env Variable |
|---|---|---|---|
| Hostname | Service hostname | Public IP address | hostname |
| Port (primary) | 5432 | 6432 (via pgBouncer) | port / portTls |
| Port (replicas, HA only) | 5433 | N/A | portReplicas |
| User | db (default) | Same as internal | user |
| Password | Generated at creation | Same as internal | password |
| Connection string (primary) | postgresql://${user}:${password}@${hostname}:5432/${dbName} | Same format with TLS port | connectionString / connectionTlsString |
| Connection string (replicas, HA only) | postgresql://${user}:${password}@${hostname}:5433/${dbName} | N/A | connectionStringReplicas |
| Database name | db (default) | Same as internal | dbName |
Zerops creates a system user named zps with full privileges for maintenance. Do not delete it, change its password, or remove its privileges, as doing so disrupts Zerops' ability to maintain the database cluster.
Connection ports and TLS
PostgreSQL on Zerops exposes three ports, each for a different purpose:
| Port | Purpose | TLS |
|---|---|---|
5432 | Primary node (read and write) | Not supported (plaintext) |
5433 | Read-only replicas, distributing reads (HA mode only) | Not supported (plaintext) |
6432 | pgBouncer connection pooler | Required |
- Ports
5432and5433do not support TLS. Connect withsslmode=disable. Inside a project these ports are reachable only on the private network, and over the VPN the tunnel already encrypts the traffic, so requesting TLS on them fails the handshake. - Port
6432(pgBouncer) requires TLS. Connect with at leastsslmode=require; the connection is always encrypted. pgBouncer presents a certificate signed by the Zerops CA but does not force the client to validate it, sosslmode=requireis enough. If you want to verify the server's identity, usesslmode=verify-fulltogether with the Zerops CA. This holds whether you reach6432from inside the project or over a public IP.
Connection pooling with pgBouncer
Port 6432 puts pgBouncer in front of PostgreSQL and multiplexes many client connections onto a small pool of server connections. This is valuable for applications that open many short-lived connections (serverless functions, PHP-FPM, or anything with high connection churn), and we recommend connecting through 6432 rather than 5432 for these workloads, including for internal service-to-service connections.
A few things to know:
- Transaction pooling. A server connection is returned to the pool after each transaction, not when the client disconnects. Prepared statements are supported (cached per server connection), but session-scoped features that span transactions (session-level
SET, advisory locks held across statements,LISTEN/NOTIFY) won't behave as expected. Use a direct5432connection for those. - TLS is required on
6432(see above), even for internal connections. - HA mode. pgBouncer pools connections to the primary (writes). Read routing across replicas on port
5433is separate and is not pooled.
Connect from services in the same project
All services in a project share a private network, so other services reach PostgreSQL directly by its hostname. There are two ways to wire it up.
Direct connection parameters
Use the parameters from Peek access details:
Environment variables (recommended)
Zerops generates connection environment variables for every PostgreSQL service. To use one service's variables from another, prefix the variable name with the service hostname and an underscore. For example, to read the connectionString of service db, reference db_connectionString.
For read-only connections (HA mode only), use connectionStringReplicas instead.
See the Environment Variables documentation for details and for adding your own variables.
- When changing a password, update both the database user and the environment variable, since they don't synchronize automatically.
- Zerops uses the
postgresql://URI scheme. If your software requires the shorterpostgres://, create a custom environment variable with that format. - Internal connections on
5432/5433don't use SSL/TLS. Security comes from the private network. For TLS-encrypted connection pooling, connect to pgBouncer on6432.
Connect remotely
There are two ways to reach PostgreSQL from outside Zerops: the VPN (recommended for development) and public IP access (for external applications).
Connect via Zerops VPN
The VPN puts your workstation on the project's private network, so you connect exactly as an internal service would.
- Install & set up zCLI
- Start the Zerops VPN
- Use the connection details from Peek access details in the service detail
- When finished, stop the Zerops VPN
- Connect to
5432/5433without SSL/TLS over the VPN, since the tunnel already encrypts the traffic. - Environment variables are not available over the VPN; copy the access details from the GUI.
- If a connection doesn't work, try the
.zeropssuffix on the hostname (e.g.db.zerops). See the VPN troubleshooting page.
Connect via public IP
Public access always goes through pgBouncer on port 6432 over TLS (see Connection ports and TLS), which also pools your connections. The read-only replica port (5433) is not exposed publicly. Route reads through your application logic instead.
The certificate on 6432 is signed by the Zerops Certificate Authority. To verify it from outside Zerops, download and trust the Zerops CA, for example psql "... sslmode=verify-full sslrootcert=./zerops-ca.pem".
To enable public access:
- Open your PostgreSQL service in the GUI and go to Public Access through IP Addresses
- Choose IPv6 (available by default) or IPv4 (requires the unique IPv4 add-on)
- Open one or more ports pointing to your service (routed through pgBouncer):
- Any port from 10–65435 (except 80 and 443)
- Each public port can map to any internal port; multiple public ports can share one internal port
- IPv4 and IPv6 can be configured independently
- Optionally enable firewall protection
- Click Publish X IP access change(s) to apply
Database management tools
You can use any PostgreSQL-compatible tool to administer your database. For a zero-setup option, Zerops provides a ready-to-use recipe for Adminer, a lightweight, full-featured web-based tool that supports PostgreSQL.
Install Adminer
In the GUI, open your project, select Import services, and paste:
Then start the VPN and open http://adminer in your browser (try http://adminer.zerops if it doesn't resolve).
Do not use https when reaching management tools over the VPN.
Desktop tools and psql
Popular desktop clients (pgAdmin, DBeaver, DataGrip, or any PostgreSQL-compatible tool) work with Zerops over the VPN:
- Start the Zerops VPN to open an encrypted tunnel to your project
- Copy the connection details from the GUI (environment variables aren't available over the VPN)
- Connect without SSL/TLS on
5432/5433, since the tunnel already encrypts the connection
For the psql command-line client:
psql has no password flag, so it prompts you. To pass the password non-interactively, use PGPASSWORD:
Try [hostname].zerops instead of [hostname] if you hit connection issues over the VPN.
To move data in and out with these tools, see Export & import data.