is it possible to set up the firewall for the database in a way that only the app has access to it while public access is blocked?
Some providers (incl. Heroku) don’t offer that functionality in their non-enterprise tiers.
You can’t configure it via a regular static IP whitelist rule because the app doesn’t have a static IP unless it does for Digital Ocean?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.