Vercel Sandbox now supports outbound connections to hosted Postgres databases, including Neon, Supabase, AWS RDS, Nile, and Prisma Postgres. To enable access, add the database host to your Sandbox's allowed domains. No code or database configuration changes are required.
The fix addresses a specific protocol mismatch. Vercel's firewall uses SNI-based filtering, which reads the domain during a TLS handshake. Postgres breaks that assumption: it opens a plain TCP connection first, then upgrades to TLS. The firewall previously failed at that gap. The updated firewall now detects the Postgres startup sequence, waits for the TLS upgrade, and applies the domain policy before forwarding the connection. Three constraints apply: TLS is required at sslmode=require or higher, GSSAPI encryption is not supported so gssencmode=require will fail, and sslmode=prefer will not silently downgrade to plain-text if TLS is unavailable.
The original changelog is worth reading for the protocol-level explanation of why standard domain-restricted sandboxes fail with Postgres, and for the concrete walkthrough: create a sandbox, install a Postgres client, lock the network to a single database host, and run a query. The firewall mechanics behind the fix are documented in full at the Sandbox firewall concepts page.
[READ ORIGINAL →]