Remote DB access

By default, every database on a MZPanel server is closed to the public internet. When you need to connect an external client — a BI tool, a local app, another server — you open access for one specific source IP instead of the whole world. Remote DB access is a Pro feature.

IP allowlist model

Opening remote access does two things, scoped to a single source IP:

1. Bind the database listener so it accepts connections from that address.
2. Open the firewall for that source IP only — on the database port.

This keeps the database unreachable from everywhere except the address you allowlisted. You manage the allowlist from the database engine’s Settings drawer (“Manage remote access”).

Caution

Never expose a production database to 0.0.0.0. Always allowlist a specific source IP. Use a static IP for the client, or you will have to re-add the entry each time it changes.

MariaDB / Mongo

For MariaDB/MySQL and MongoDB, remote access is enforced through firewall rules. Adding an allowlist entry binds the listener and opens the firewall for that one source IP; the database stays invisible to every other address.

PostgreSQL (native expose)

PostgreSQL uses native expose / unexpose controls rather than ad-hoc firewall edits. Exposing the instance to a source IP updates the PostgreSQL listener configuration and the firewall together; un-exposing reverses both. This keeps pg_hba-style access and the firewall in sync.

Revoking access

Open the engine’s Settings drawer and revoke the allowlist entry:

• MariaDB / MongoDB — remove the firewall rule for that source IP (and the bind) to close access again.
• PostgreSQL — unexpose the instance, which removes both the listener exposure and the firewall opening.

Tip

Open access only while you actively need it, and revoke it as soon as the work is done. The smaller the window, the smaller the exposure.