All posts
September 10, 20251 min read

Secure Pgcli Access to Private Subnet Databases via VPC Proxy

When databases live inside a private subnet, direct connections aren’t an option. Traffic must move through a secure path without exposing the database to the public internet. Setting up Pgcli in this environment requires a precise workflow: configure the VPC, provision a bastion or proxy, secure credentials, and tunnel the connection. Configuring the VPC starts with ensuring your database instance has no public IP. Place it in a private subnet with the correct route tables. This reduces the at

Free White Paper

Database Access Proxy + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

When databases live inside a private subnet, direct connections aren’t an option. Traffic must move through a secure path without exposing the database to the public internet. Setting up Pgcli in this environment requires a precise workflow: configure the VPC, provision a bastion or proxy, secure credentials, and tunnel the connection.

Configuring the VPC starts with ensuring your database instance has no public IP. Place it in a private subnet with the correct route tables. This reduces the attack surface and keeps compliance checks simple.

Deploying the proxy is next. Use a lightweight, isolated VM or managed service in a public subnet that can talk to your database. Lock it down with security groups that only allow specific inbound IPs and the necessary outbound PostgreSQL port. The proxy becomes the single controlled entry point.

Building the secure SSH tunnel is the final step before Pgcli comes into play. Forward local ports from your development machine to the database host through the proxy. Keep authentication tight with SSH keys, and avoid password prompts in workflows by using agents.

Continue reading? Get the full guide.

Database Access Proxy + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Once the proxy and tunnel are live, Pgcli connects as if you were inside the network. It delivers autocomplete, syntax highlighting, and a faster query workflow—without breaking your security model.

This approach also shines for staging and production environments. You get fast, secure, repeatable access without changing infrastructure each time. Combine strict IAM access with logging on the proxy, and you have a fully auditable path into private databases.

Done right, Pgcli VPC private subnet proxy deployment means no more waiting on VPNs, no more risky firewall changes, and no more unstable connections. It works every time, and it scales with your team.

If you want to see this workflow in action without building it from scratch, try it on hoop.dev. You can have a secure Pgcli connection to a VPC private subnet via proxy running in minutes, live and ready to use.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts