diff --git a/src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png b/src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png new file mode 100644 index 00000000000000..db4f833a25dcc8 Binary files /dev/null and b/src/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png differ diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx index fc34cd4eec2e6a..94946892870a71 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx @@ -18,6 +18,12 @@ When your database is isolated within a private network (such as a [virtual priv - [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) is used to establish the secure tunnel connection. - [Cloudflare Access](/cloudflare-one/policies/access/) is used to restrict access to your tunnel such that only specific Hyperdrive configurations can access it. +A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access, and the Cloudflare Tunnel established by `cloudflared`. `cloudflared` must be running in the private network in which your database is accessible. + +The Cloudflare Tunnel will establish an outbound bidirectional connection from your private network to Cloudflare. Cloudflare Access will secure your Cloudflare Tunnel to be only accessible by your Hyperdrive configuration. + +![A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access and the Cloudflare Tunnel established by `cloudflared`.](~/assets/images/hyperdrive/configuration/hyperdrive-private-database-architecture.png) + :::caution[Warning] @@ -177,4 +183,5 @@ If you successfully receive the list of `pg_tables` from your database when you ## Troubleshooting If you encounter issues when setting up your Hyperdrive configuration with tunnels to a private database, consider these common solutions, in addition to [general troubleshooting steps](/hyperdrive/observability/troubleshooting/) for Hyperdrive: -* Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect. + +- Ensure your database is configured to use TLS (SSL). Hyperdrive requires TLS (SSL) to connect.