docs/platform/infrastructure/managing-infrastructure.md
Encore Cloud provides built-in safeguards to protect your production infrastructure, manages upgrades across the stack, and gives you the tools to implement disaster recovery. This page covers the operational aspects of running production infrastructure with Encore Cloud.
Encore Cloud implements multiple layers of protection against accidental or malicious deletion of production resources:
Encore Cloud is designed to coexist with manual changes made in your cloud provider's console. When deploying, Encore pulls the current resource properties before making any changes. If drift is detected (i.e. the resource was modified outside of Encore), Encore updates its internal representation to match the current state, unless there is a pending, manually requested property change in the Encore Cloud dashboard that hasn't been applied yet.
This means you can safely make changes directly in your cloud provider's console without worrying about Encore overwriting them. Learn more in the Infrastructure Configuration docs.
Encore Cloud maintains a versioned infrastructure graph where each node and edge is an immutable, versioned entity. Changes are applied by adding a new version, creating a complete audit trail:
This gives you full traceability from any infrastructure state back to the code change, change request, and user responsible.
When Encore Cloud deploys your application, it follows a three-phase process:
For production environments, you can require admin approval before any deployment that includes infrastructure changes. When enabled, an Admin must manually review and approve the changes before the deployment proceeds. This includes IAM changes.
To configure this, go to Encore Cloud dashboard > (Select your environment) > Settings > Infrastructure Approval. Learn more in the Environments docs.
Encore Cloud separates the control plane from the runtime of your services. Your application runs independently in your own cloud environment, so if Encore Cloud's control plane is unavailable, your production services continue to operate normally.
The main impact of a control plane outage would be on control plane features like deployments, observability, and the Encore Cloud dashboard. Your running services, databases, and other infrastructure remain unaffected.
For recovery independently of Encore's service, you retain full ownership of your infrastructure and code. You can use the open source tools to build images and deploy using any alternative CI/CD tooling.
Encore runtime versions are automatically included as part of each build in the CI/CD pipeline. When you deploy, Encore builds your application with the latest runtime.
build.docker.base_image setting in your encore.app file. This lets you pin a specific runtime version if needed. Learn more in the Deploying docs.Encore Cloud automatically applies schema migrations as part of each deployment. However, PostgreSQL major version upgrades (e.g. PostgreSQL 15 to 16) are handled differently:
pg_dump/pg_restore are supported for migrating data between database versions or environments.Upgrades to the underlying cloud services (Cloud Run, Pub/Sub, IAM, VPC, etc.) are handled as part of the normal deployment phases. By default, these upgrades are applied automatically during deployment. You can require admin approval for deployments that include infrastructure changes through the deploy approval settings.
Encore Cloud assigns names to database instances automatically when provisioning. Cloud providers (e.g. GCP Cloud SQL, AWS RDS) do not support renaming instances after creation. If you need a different naming convention (for example, to include environment or service identifiers), the process involves:
Encore does not enforce a specific PostgreSQL schema for your tables. Table creation is controlled entirely by your migration files, so you have full control over which schema tables are created in. If your organization requires tables to be in a dedicated schema rather than public, update your migration files accordingly. For example:
CREATE SCHEMA IF NOT EXISTS myapp;
CREATE TABLE myapp.todo_item (
id BIGSERIAL PRIMARY KEY,
title TEXT NOT NULL
);
This is purely a migration-level decision and does not require any changes to Encore's configuration.
Encore Cloud provisions databases with regional (multi-AZ) availability by default, distributing replicas across multiple availability zones for higher resilience. This means your database remains available even if an individual zone experiences an outage.
You can change the availability configuration on the Infrastructure page in the Encore Cloud dashboard:
Switching between regional and zonal availability causes downtime while the change is applied. Plan accordingly and consider making this change during a maintenance window.
</Callout>Encore Cloud automatically manages database credentials with built-in isolation:
Learn more about viewing and managing database credentials in the Managing database users docs.
When deploying to your own cloud account, Encore Cloud provisions databases in private subnets that are not directly accessible from the public internet. If you need to connect external tools (data pipelines, BI platforms, database management utilities, etc.) to your databases, there are a few approaches:
Using the Encore CLI proxy
The simplest way to connect external tools is through the Encore CLI's built-in database proxy:
$ encore db proxy --env=<environment-name>
This sets up a local proxy that forwards connections to your databases. External tools can then connect to the local proxy endpoint. Learn more in the database CLI docs.
Using database credentials directly
For cloud environments on AWS/GCP, you can retrieve database credentials from the Encore Cloud dashboard and use them with your cloud provider's connectivity options (e.g. VPC peering, private service access, or a proxy). See the Managing database users docs for how to access credentials.
SSL/TLS certificates
In GCP, Encore Cloud provisions databases with TLS encryption enabled. When connecting external tools (data pipelines, replication services, database management utilities, etc.), you will need to configure SSL certificates for the connection.
To download the CA certificate and create a client certificate for your database instance:
GCP (Cloud SQL):
server-ca.pem file.Configure your external tool to trust the downloaded CA certificate, and provide the client certificate if required. The exact configuration depends on the tool you are using.
If your tool connects over a trusted internal network (e.g. within the same VPC via a private IP or a secured proxy), you may be able to disable TLS verification. This is only appropriate when the connection path is already encrypted or isolated at the network level. Tools connecting over the public internet should always use TLS with proper certificate validation.
When deploying to your own cloud account, Encore Cloud provisions databases with the following protections by default:
Learn more about the default database configuration in the GCP Infrastructure and AWS Infrastructure docs.
Disaster recovery settings for stateful resources can be configured in two ways:
Learn more about manual configuration in the Infrastructure Configuration docs.
For production environments with specific RTO/RPO targets, consider:
Encore Cloud automates the heavy lifting of infrastructure management, while giving you full control over customization and decisions that are specific to your application.