Getting Started

Hosted vs. Self-Hosted Agent — Which to Choose

When to use MonPG's hosted collector vs. running the agent in your own infrastructure.

You have two ways to get metrics into MonPG: our hosted collector connects to your DB, or you run our collector inside your network and push to us. Both produce identical data. The choice is about who runs what process and where credentials live.

Picking a mode

Use the hosted collector if:

  • Your DB is reachable from the public internet.
  • You're OK with handing us a one-shot admin password (used once, never persisted).
  • You'd rather we patch the collector than you.

This covers most managed-PG customers.

Use the agent if any of these apply:

  • Your security policy forbids sharing DB credentials with third parties.
  • Your DB is in a private VPC with no public route.
  • You want explicit control over collector upgrades.
  • You're on self-managed PostgreSQL inside a datacenter or air-gapped environment.

The two modes don't have to be exclusive. Some customers run the hosted collector against their staging fleet (faster onboarding, less ops) and the agent against prod (stricter network posture). Each server is independent — pick the mode per server when you onboard.

What hosted onboarding actually does

Three things, all visible on the consent surface before you click Provision:

  1. Creates a monpg_monitor_<12hex> role with pg_monitor grant and CONNECTION LIMIT 10.
  2. Runs CREATE EXTENSION pg_stat_statements on each database you marked for monitoring.
  3. Creates a monpg schema with two SECURITY DEFINER helper functions that read pg_stats safely on behalf of pg_monitor.

That's it. No GUC changes, no shared_preload_libraries changes, no restart of any kind. The admin password you typed gets used to run the DDL above, then it's discarded. The generated monpg_monitor password is wrapped with our Azure Key Vault key and stored ciphertext-only in our DB — only the hosted-fleet collector role can unwrap it.

If your security review wants the wrap key in your control instead of ours, that's an Enterprise plan customer-managed-key (CMK) feature.

Hosted with manual SQL

One middle option exists if your security policy forbids sharing admin creds even for one wizard click. Pick "Hosted — I'll run the SQL" on the Setup screen.

  1. We generate the same DDL.
  2. You run it in psql yourself.
  3. You paste the resulting monpg_monitor password back.

Same hosted collector topology afterwards. Your admin password stays on your side the whole time.

Agent mode trade-offs

Agent mode is more flexible but more ops on your side:

  • You decide where to run it (Docker, Kubernetes, systemd, or just the binary).
  • You generate the monpg_monitor role yourself with the SQL we provide.
  • You upgrade the collector when we ship new versions.

The benefit: your DB password never leaves your network, and your firewall doesn't open inbound at all (the agent only does outbound HTTPS).