Internal Routing for Private Space Apps

Today we’re announcing a powerful new network control for apps running in Heroku Private Spaces: Internal Routing. Apps with Internal Routing work exactly the same as other Heroku apps, except the web process type is published to an endpoint that’s routable only within the Private Space and on VPC and VPN peered networks (see the Private Space VPN support companion post). Apps with Internal Routing are impossible to access directly from the public internet, improving security and simplifying management and compliance checks for web sites, APIs and services that must not be publicly accessible.


Internal Routing unlocks several exciting new use cases:

  • Intranet-like apps that are only accessible to users from a VPN connected on-prem network (see the VPN blog post to learn how Heroku customer Cabinet Secretariat is planning to do that)
  • Apps (such as APIs or microservices components) deployed on Heroku and consumed securely and solely by other Heroku apps in the same space
  • Multi-cloud apps consisting of Heroku microservices consumed from software running in a peered customer AWS VPC

Creating Internal Routing apps is easy, and come with all the benefits of standard Heroku apps:

  • Simple build, test and deployment
  • Easy management and collaboration
  • Quick scaling as load increases

Heroku already has a couple of other features that facilitate intra-space networking and limiting app access:

  • Private Space DNS Service Discovery: Direct network connections between dynos and process types (but no logging stack and thus no request logging or SSL termination)
  • Trusted IP ranges: Limit external access to all apps in a space to a set of CIDR ranges (but no per-app granularity and can be hard to manage as IPs come in and out of use)

Internal Routing is a great complement to those features, especially for customers that are using VPNs or peered VPCs with Heroku Private Spaces.

Using Internal Routing

Creating an internally routed app is as simple as creating a normal one:

$ heroku apps:create --internal-routing --space test-space
Creating app... done, ⬢ frozen-oasis-70544 |

Once you’ve deployed code to an internal app, if you try connecting to <appname> over the public internet, you won’t be able to open a connection. You can, however, get a shell in a dyno and use curl to test:

$ heroku run bash -a frozen-oasis-70544
$ curl -I
HTTP/1.1 200 OK

Accessing the endpoint from a peered AWS VPC or a VPN-connected network will also work. Because accessing apps with internal routing is a little unwieldy, we recommend developing and testing code with normal non-internal Heroku apps, only without sensitive data and using standard access controls such as username/password and Trusted IP ranges.

Note that converting an existing Heroku app to an internal one is not currently supported. If you have an existing app that you want to make internal, you’ll have to create a new internal app and re-deploy to that.

HTTP requests for internal web apps transit the exact same routing stack as requests for standard apps which means you get all the benefits of request logging, application metrics and a consistent management and operations experience. Custom domains and SSL also work exactly the same as on standard apps, except that any custom domain you add will ultimately resolve to private IP addresses that are only routable within the private space and on peered or connected networks.


Internal Routing is great for Heroku customers that want to publish HTTP apps, APIs and services for internal-only consumption from within a Private Space (and connected networks). It’s another feature that makes Heroku “Better Together” with existing enterprise systems deployed on-prem or on AWS. Internal Routing lets customers use Heroku’s high-productivity development, deployment and collaboration features for very sensitive apps and workloads that require strict network-level access restrictions. To learn more about Internal Routing, see the Dev Center article here, or contact Heroku.

Browse the archives for news or all blogs Subscribe to the RSS feed for news or all blogs.