Private Spaces are dedicated environments for running dynos and certain types of add-ons within an isolated network.
- Access to apps in a Private Space can be controlled at the network level.
- Outbound requests from apps in a Private Space originate from a set of stable IP addresses.
- Each Private Space has a set of trusted IP ranges, with each range represented in CIDR block notation. Use trusted IP ranges to restrict traffic to apps that come from your corporate network or from a CDN service that proxies traffic for your apps. Trusted IP Ranges only applied to web processes.
- Roling Deployment – Rolling deploys do this by stopping and changing only 25% at a time of the existing dynos in each of dyno types including “Web” dynos and other worker dynos, while the remaining dynos handle requests and tasks. Rolling deployment requires 2 or more dynos in the dynos formation before its active.
- Certain Add-ons can be installed on the same Private Space but some add-ons of the type “data store” will send data over the public internet, you can identify it via the add-on installation screen.
- Private Space Logging (only available in Shield Private Space) is a feature that enables you to configure log capture at the space level instead of the app level. When Private Space Logging is enabled, all log events from applications, Heroku Postgres databases and Heroku system services in the space are forwarded to a single log capture destination.
- Logs are sent as HTTPS POST requests.Each request body can contain up to 500 log lines. A request is sent from Private Space Logging to the log drain once the log batch is equal to 500 log lines or 250 ms has elapsed, whichever comes first.The maximum length of a single log line is 10k bytes, with longer lines split into multiple lines.
While unlikely, this means that the maximum Private Space Logging request could be as large as 5000 KB. If you intend on using a 3rd-party logging provider, you should check their logging request size limits.
- When Private Space Logging is enabled, the logs are sent to the destination and not used by Logplex.Logs cannot be forwarded to multiple log drains
Logs cannot be viewed in CLI with
heroku logsor in the Dashboard log viewer.
- If you have an on-premises logging system (such as Splunk) and a VPN connection from your on-premises network to your Private Space, Private Space Logging will not be able to access the on-premises logging system via the private connection. An on-premises logging system must be exposed to the public internet.