Elephants in tunnels: how Hyperdrive connects to databases inside your VPC networks

With September’s announcement of Hyperdrive’s ability to send database traffic from Workers over Cloudflare Tunnels, Hyperdrive has been designed to make the centralized databases feel like they’re global while keeping connections to those databases hot. This is achieved by using a global network to get faster routes to your database, keep connection pools primed, and cache your most frequently run queries as close to users as possible. To simplify this process, Cloudflare offers an excellent option for private networks: Tunnels. Hyperdrive handles Postgres traffic using an entirely custom implementation of the Postgres message protocol, allowing it to send messages across WebSocket streams without being bound to transport layer choices of some ORM or library. The approach relies on Rust traits and uses a mainstay of Rust - traits - to implement the necessary traits on top of a WebSocket stream, enabling Hyperdrive to use an existing WebSocket library to upgrade its SslStream connection to a Cloudflare Tunnel, which can then be used anywhere that other transport streams would work without any changes needed to the rest of the codebase. The solution is designed to help all those who want to use Hyperdrive without directly exposing resources within their virtual private clouds on the public web. This latest development has been adopted by multiple teams within Cloudflare, who are happily operating it in production today and finding great success building new or refactored products on Hyperdrive over Tunnels.