Skip to main content
The Formal Connector supports encrypted communication using TLS. You can ensure that communications between clients and the Connector are encrypted and ensure that communications between the Connector and Resources are encrypted.

TLS between clients and the Connector

The hostname you configure will be used to reach and use your Connector. It can be managed by Formal or by yourself.
  • Formal-Managed: The hostname is a subdomain of a domain that belongs to Formal. Formal will create and renew the TLS certificate of your Connector.
  • Customer-Managed: The hostname is in a DNS zone you control. You are responsible for configuring your DNS records and managing your TLS certificates.
Formal recommends using Formal-managed hostnames for simplified TLS certificate management and automatic renewal.
Note for Mac users: If you’re connecting to a Connector over HTTP/TLS using curl on macOS, you may need to install curl via Homebrew (brew install curl) as the native curl installed on Mac does not support newer versions of TLS.

Formal-Managed

Formal will automatically generate and renew the TLS certificate for your Connector if the hostname ends with
.[NAME_OF_YOUR_ORG].connectors.joinformal.com. Using our Terraform provider, you can create such a Connector hostname and precise where it should point to: 
resource "formal_connector_hostname" "main" {
  connector_id = formal_connector.main.id
  hostname     = var.connector_hostname # e.g. "postgres.<org-name>.connectors.joinformal.com"
  dns_record   = var.dns_record # CNAME record value to point to
}
The DNS record you want to set here is the hostname of the load balancer you have deployed to target your Connector. When creating the Connector hostname with the web interface, just select “Formal-Managed” and fill the form.

Customer-Managed

For self-managed hostname and TLS, you must provide your TLS certificate to the Connector. You can do so via our APIs, Terraform, or the Control Plane:

TLS between the Connector and Resources

You can configure TLS settings between the Connector and resources on an individual resource level via our APIs, Terraform, or the Control Plane: TLS settings for connections between the Connector and Resources are configured per-resource either via the UI or Terraform. The TLS configuration resource to one of the following options: disable, insecure-skip-verify, insecure-verify-ca-only (verifies certificate chain but not hostname), or verify-full.