Skip to main content
The Formal Connector supports encrypted communication using TLS. You can ensure that communications between clients and the Connector are encrypted and ensure that communications between the Connector and Resources are encrypted.

TLS between clients and the Connector

The hostname you configure will be used to reach and use your Connector. It can be managed by Formal or by yourself.
  • Formal-Managed: The hostname is a subdomain of a domain that belongs to Formal. Formal will create and renew the TLS certificate of your Connector.
  • Customer-Managed: The hostname is in a DNS zone you control. You are responsible for configuring your DNS records and managing your TLS certificates.
Formal recommends using Formal-managed hostnames for simplified TLS certificate management and automatic renewal.

Formal-Managed

Formal will automatically generate and renew the TLS certificate for your Connector if the hostname ends with
.[NAME_OF_YOUR_ORG].connectors.joinformal.com.
Using our Terraform provider, you can create such a Connector hostname and specify where it should point to:
resource "formal_connector_hostname" "main" {
  connector_id = formal_connector.main.id
  hostname     = var.connector_hostname # e.g. "postgres.<org-name>.connectors.joinformal.com"
  dns_record   = var.dns_record # CNAME record value to point to
}
The DNS record you want to set here is the hostname of the load balancer you have deployed to target your Connector. When creating the Connector hostname with the web interface, just select “Formal-Managed” and fill the form.

Customer-Managed

For self-managed hostname and TLS, you must provide your TLS certificate to the Connector. You can do so via our APIs, Terraform, or the Formal console:

TLS between the Connector and Resources

You can configure TLS settings between the Connector and resources on an individual resource level via our APIs, Terraform, or the Formal console: TLS settings for connections between the Connector and Resources are configured per-resource either via the UI or Terraform. The TLS configuration can be set to one of the following options: disable, insecure-skip-verify, insecure-verify-ca-only (verifies certificate chain but not hostname), or verify-full.