All posts
ConceptsOctober 16, 20251 min read

Secure Pgcli Access to Databases in a VPC Private Subnet via Proxy

The database sat locked away inside a VPC private subnet, unreachable from the outside world. You needed to query it fast, but a direct connection was impossible. The solution: deploy Pgcli with a secure proxy inside the private subnet and bridge access through a controlled entry point. Pgcli is a powerful Postgres command-line client with auto-completion and syntax highlighting. Running it inside a VPC private subnet makes it possible to interact with protected databases without breaking netwo

Free White Paper

Database Access Proxy + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The database sat locked away inside a VPC private subnet, unreachable from the outside world. You needed to query it fast, but a direct connection was impossible. The solution: deploy Pgcli with a secure proxy inside the private subnet and bridge access through a controlled entry point.

Pgcli is a powerful Postgres command-line client with auto-completion and syntax highlighting. Running it inside a VPC private subnet makes it possible to interact with protected databases without breaking network boundaries. The challenge is creating a proxy that lets you connect from a public workstation while keeping all database traffic inside the VPC’s secure environment.

First, provision a small instance inside the subnet where the database lives. Install Pgcli there. This instance will act as your proxy host. Ensure it has an IAM role or credential method that allows connection to the database. From your local machine, you connect through an SSH tunnel or a managed proxy service that routes traffic into the instance.

For AWS, configure the subnet routing to restrict outbound traffic and allow inbound proxy connections only from trusted IPs. Use Security Groups to lock down the instance’s ports, exposing 22 for SSH or the port used by your proxy. The database’s own Security Group should whitelist only the proxy host’s private IP.

Continue reading? Get the full guide.

Database Access Proxy + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Run Pgcli locally with the tunnel endpoint mapped to the database’s port. Authentication happens over the proxy connection, ensuring no credentials are exposed on the public internet. Using this pattern, you gain full Pgcli access—tab completion, query history, and formatting—while staying inside the operational boundaries of your VPC.

Containerized deployments make this even cleaner. Use a lightweight container with Pgcli and a proxy binary, run it inside ECS or Fargate in your private subnet, and connect via AWS Systems Manager Session Manager. This removes the need to open SSH and gives tight audit logging.

For performance, keep the proxy instance in the same AZ as the database to reduce latency. Avoid NAT gateways for this path; keep traffic internal. Monitor the connection logs and assign resource limits so the proxy host can handle your query load without becoming a bottleneck.

A Pgcli VPC private subnet proxy deployment gives you speed and safety. It aligns with strict compliance rules, stops data leaks, and makes remote querying possible without exposing your database.

Spin it up now on hoop.dev and see a fully working deployment live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts