All posts
September 9, 20252 min read

How to Access Databases in Kubernetes Using Ingress for Secure and Reliable Connections

The pod kept failing, and no one knew why. Logs showed nothing. Metrics were green. But the database connection was dead. We were inside Kubernetes. The culprit was the Ingress. Kubernetes Ingress is famous for routing HTTP and HTTPS traffic into your cluster. But database access? That’s where it gets tricky. Direct database connections often run on TCP, not HTTP, and most default Ingress controllers don’t speak TCP out of the box. This is where many teams get stalled: they assume that connecti

Free White Paper

Just-in-Time Access + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The pod kept failing, and no one knew why. Logs showed nothing. Metrics were green. But the database connection was dead. We were inside Kubernetes. The culprit was the Ingress.

Kubernetes Ingress is famous for routing HTTP and HTTPS traffic into your cluster. But database access? That’s where it gets tricky. Direct database connections often run on TCP, not HTTP, and most default Ingress controllers don’t speak TCP out of the box. This is where many teams get stalled: they assume that connecting to a database from outside Kubernetes will work the same way as a web app route. It doesn’t.

When your application code runs inside the cluster, Kubernetes Service objects make it easy to reach the database. But external clients — analysts, BI tools, migration scripts — often need to connect from outside the cluster’s network boundary. Simply opening firewall rules to a database pod is risky and brittle. You need a secure, reliable, and performant way to expose that database endpoint without breaking your cluster’s security posture.

Here’s how to do it. First, choose an Ingress controller that supports raw TCP and TLS streams. NGINX and HAProxy can be configured for this, but require extra configuration. Newer controllers like Traefik or cloud-native load balancers offer more flexibility through custom resources. You define a TCP route, point it at a Kubernetes Service tied to your database, and terminate TLS if needed. With that, external traffic flows through your Ingress layer just like HTTP — only now it’s carrying database protocol packets.

Continue reading? Get the full guide.

Just-in-Time Access + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Security is non‑negotiable. Always use TLS encryption end‑to‑end. Limit source IP ranges so only trusted origins can connect. Avoid exposing the database’s default port. Rotate credentials regularly. And monitor — not just for downtime, but for unusual connection patterns.

Performance tuning matters just as much. Database protocols are often chatty. Latency spikes can cripple them. Keep your Ingress controller’s TCP buffers tuned. Watch for connection limits. Some controllers throttle concurrent TCP streams by default, and that can silently bottleneck your throughput.

Once set up, this approach means you can access databases in Kubernetes without running sidecar SSH tunnels or maintaining hacky port‑forwards. It’s clean, secure, and automatable. You can version‑control the configuration just like the rest of your Kubernetes manifests.

If you want to skip weeks of YAML and config map plumbing, you can see database ingress live in minutes with hoop.dev. It gives you instant, secure access to your Kubernetes‑hosted databases without exposing them to the open internet, so you can focus on building instead of debugging broken tunnels.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts