Skip to main content

Overview

If you are searching for a Heroku Shield alternative, Aptible is one of the strongest platform-as-a-service options to evaluate, and for many regulated teams, the most natural fit. Aptible delivers a similar developer experience with simple, abstracted deployment of apps and databases, while providing dedicated infrastructure isolation, enforced security controls, and built-in compliance support for frameworks such as HIPAA, HITRUST, and SOC 2. For teams handling PHI or other sensitive data, these controls are foundational, not optional. Refer to the Security & Compliance docs for more information on our approach to security and compliance, including the specific controls we satisfy. If you are evaluating alternatives due to recent changes to Heroku’s Enterprise offering, you’re in the right place. Many teams that previously relied on Heroku Shield for HIPAA-eligible environments are now looking for infrastructure that combines developer simplicity with robust security and compliance support. This guide will help you evaluate Aptible and outline a clear path for a smooth migration, including:
  • Heroku Shield vs Aptible comparison
  • Key terminology mapping
  • Technical migration steps:
    • Private Spaces to Dedicated Stacks
    • Projects to Environments
    • Shield dynos to containers
    • Shield Postgres and Redis to Aptible-managed databases
    • Auditing Shield-compatible add-ons
    • Reconfiguring endpoints and networking
    • Minimizing downtime during cutover
If you’re migrating from standard Heroku (not Shield), see the general Heroku migration guide.
If you require further assistance or guidance during your migration, please contact Aptible Support. White-glove migration services are also available for teams that want hands-on assistance.

FAQs

Aptible is a security, compliance, and reliability-focused platform as a service (PaaS). Migrating to Aptible enables you to maintain a strong compliance posture with built-in support for frameworks such as HIPAA, HITRUST, and SOC 2, while gaining more flexibility in pricing and operational control.Teams typically migrate from Heroku Shield when they need HITRUST inheritance, more flexible pricing, or want to avoid 12-month contract commitments while maintaining the same level of compliance.
If you’re migrating from Heroku Shield, Aptible differs in two important ways: Aptible does not require a 12-month contract, and Aptible does not enforce high minimum spend thresholds. This makes it easier to adopt without long-term financial commitments.Aptible’s pricing model is usage-based with simple line items and no long-term lock-ins or steep minimums.Learn more about pricing.
Yes. Heroku requires a Procfile to define application processes, but on Aptible, Procfiles are optional.If no Procfile is present, Aptible will infer the service command from the Dockerfile CMD instruction. This is referred to as an Implicit Service.You can continue using a Procfile if your application has multiple services or process types. Procfile syntax is compatible between Heroku and Aptible.Note: If you are using Direct Docker Image Deploy (deploying a pre-built image from a container registry), you must place your Procfile at /.aptible/Procfile and your .aptible.yml at /.aptible/.aptible.yml inside your Docker image. See Procfiles and .aptible.yml with Direct Docker Image Deploy for details.

Heroku Shield vs Aptible comparison

The table below summarizes key differences across compliance, developer experience, and pricing.
CategoryHeroku ShieldAptible
Compliance
HIPAA EligibilityIncludedIncluded
HITRUST InheritanceNot availableIncluded
BAA SupportIncludedIncluded
Encryption in Transit and at RestIncludedIncluded, by default
Managed Intrusion DetectionNot availableIncluded, by default
24/7 SRE MonitoringAvailable with additional feeIncluded, by default
Automated BackupsIncluded, plan-dependent retentionIncluded, by default
Granular Access ControlLimitedIncluded, by default
Infrastructure IsolationIncluded (Private Spaces)Included (Dedicated Stacks)
Developer Experience
Runtime ModelDynosDocker containers
Build SystemBuildpacksDockerfile-based
Traffic RoutingHeroku RouterExplicit Endpoints
Automatic RollbacksLimitedIncluded, by default
Zero-downtime deploysIncluded, by defaultIncluded, by default
Public and Private AccessLimitedAvailable (Public and Private Endpoints supported)
Managed DatabasesShield Postgres & Shield RedisPostgreSQL, MySQL, Redis, Elasticsearch, RabbitMQ, InfluxDB, SFTP
Pricing
Compute Pricing ModelShield dyno tiersContainer-based pricing
Isolation CostHigh fees for getting startedLow fees for getting started: $499/base fee
Contract12-month contract requiredPay-as-you-go, no lock-in
White-glove migrationNot availableAvailable with additional fee

Key terminology mapping

If you’re migrating from Heroku Shield, the table below maps common Heroku concepts to their Aptible equivalents.
Heroku TermAptible TermDescription
DynoContainerA running instance of your application process
Heroku RouterEndpointNetwork entry point that routes traffic to your service
App URLEndpoint URLPublic hostname exposing your service
Private SpaceDedicated StackIsolated infrastructure environment
ProjectEnvironmentLogical grouping of apps and databases
Config VarsEnvironment VariablesRuntime configuration values
BuildpacksDockerfileDefines how your application is built
Shield PostgresManaged PostgreSQLProduction database service
Shield RedisManaged RedisIn-memory data store
Add-onsManaged Databases or External IntegrationsInfrastructure services attached to your app

Before you begin

Before starting your migration from Heroku Shield, ensure the following:
1

Create an Aptible account

Sign up for Aptible to get started with a 30-day free trial. When you’re ready to begin your production migration, upgrade to the Production plan.
2

Install the Aptible CLI

The CLI allows you to deploy applications, manage databases, and interact with your environment directly from your terminal.Install the CLI here.
3

Review your existing Heroku Shield setup

Ensure you have access to your Heroku app, Private Space, and Shield Postgres credentials. Make note of the following:
  • Application process types (web, worker, background jobs)
  • Environment variables and secrets
  • Add-ons such as databases, caches, or third-party services
  • Any custom build or runtime configuration
  • Networking or domain configuration

Migration steps

Set up your Aptible infrastructure

Private Spaces to Dedicated Stacks

In Heroku Shield, applications run inside Private Spaces, which define the network boundary and isolation model for your workloads. In Aptible, the equivalent concept is a Dedicated Stack. A Dedicated Stack is an isolated AWS environment with its own VPC, enforced encryption, and infrastructure-level security controls.
1

Provision a Dedicated Stack

Create a Dedicated Stack in the appropriate region. Dedicated Stacks are required for HIPAA compliance.
2

Execute a BAA if required

During Stack provisioning, Aptible Support will coordinate execution of your Business Associate Agreement if you are handling PHI.
3

Review networking requirements

Confirm IP allowlists, outbound access, and any required third-party integrations. See Network Integrations for fVPN and VPC peering options.
If you currently use multiple Private Spaces for staging and production, you can either:
  • Create separate Environments within a single Dedicated Stack (most common approach)
  • Provision multiple Dedicated Stacks if stricter infrastructure separation is required
Choose the approach that aligns with your compliance and isolation requirements.

Projects to Environments

In Heroku, applications are grouped into Projects and can be connected via Pipelines. In Aptible, applications and databases are grouped within an Environment, which exists inside a Dedicated Stack. An Environment provides logical separation between staging and production workloads and defines access controls.
  • Create an Environment corresponding to each Heroku Project
  • Create separate Environments for staging and production
Granular user access is assigned at the Environment level. For example, you can grant full access to a staging Environment while restricting permissions in production.

Migrate your application

Shield Dynos to Containers

In Heroku Shield, applications run as dynos built via buildpacks and defined by a Procfile. Heroku manages the runtime layer and abstracts containerization. In Aptible, applications run as Docker containers. You define how the application is built and executed using a Dockerfile, and each process type runs as its own service. Key differences:
Heroku ShieldAptible
BuildpacksDockerfile
Procfile process typesSeparate services
Dyno scalingContainer scaling
Release phaseExplicit release command via .aptible.yml
1

Convert Buildpack App to Docker

If your app does not already use Docker, create a Dockerfile. See Getting Started with Docker for guidance.Example (Node.js):
FROM node:18

WORKDIR /app
COPY package*.json ./
RUN npm install

COPY . .
EXPOSE 3000
CMD ["npm", "start"]
Important checks:
  • App binds to 0.0.0.0
  • Correct port exposed
  • No reliance on ephemeral filesystem storage
2

Translate Procfile process types

Typical Heroku Procfile:
web: bundle exec rails server
worker: bundle exec sidekiq
release: bundle exec rails db:migrate
In Aptible:
  • Deploy web as one service
  • Deploy worker as a separate service
  • Run database migrations using before_release in .aptible.yml
Each service can be scaled independently.Procfile and .aptible.yml placement depends on your deployment method:
If you deploy by pushing code to Aptible’s Git remote, keep your Procfile and .aptible.yml in the repository root directory. Aptible will detect and use them automatically during the build process.
3

Configure environment variables

Export your current Heroku variables:
heroku config --app your-app-name
Recreate them in the Aptible Environment using the Dashboard or CLI:
aptible config:set --app your-app-name KEY=value
Pay special attention to:
  • DATABASE_URL
  • REDIS_URL
  • SECRET_KEY_BASE
  • External service credentials
See Configuration Variables for more details.
4

Scale containers

Match your dyno configuration. If you previously ran 2 web dynos and 1 worker dyno, scale to 2 web containers and 1 worker container.
aptible apps:scale --app your-app-name --container-count 2 SERVICE
Monitor CPU and memory usage after deployment and adjust as needed. See App Scaling for guidance.
5

Validate deployment

Confirm:
  • Application boots without errors
  • Logs are flowing
  • Health checks pass
  • Background jobs process correctly
  • No reliance on Heroku-specific environment assumptions

Migrate your databases

Heroku Shield provides Shield Postgres and Shield Redis inside your Private Space with encryption and compliance controls. In Aptible, you can provision managed PostgreSQL, Redis, as well as MySQL, Elasticsearch, InfluxDB, RabbitMQ, and SFTP.

Migrating PostgreSQL

There are two primary approaches to migrating PostgreSQL databases:
  • Dump and restore works well for smaller databases (under 10GB) and simpler migrations
  • Logical replication is recommended for databases over 10GB or high-traffic production apps where minimizing downtime is critical
For databases larger than 10GB, heroku pg:backups can be slow and unreliable. Logical replication keeps your Aptible database in sync with Heroku until you’re ready to cut over, significantly reducing downtime.

Migrating Redis

1

Provision Redis in Aptible

Create a managed Redis instance:
aptible db:create your-redis \
  --type redis \
  --environment your-environment
Confirm version compatibility. See Redis documentation.
2

Update REDIS_URL

Update the environment variable in Aptible:
aptible config:set --app your-app-name REDIS_URL=redis://...
3

Plan cutover

If Redis is used as:
  • Cache only: No data migration required
  • Job queue: Coordinate cutover carefully to avoid dropped jobs
4

Validate

  • Confirm application connectivity
  • Monitor background worker logs
  • Validate job processing

Auditing your add-ons

Before migrating, review all add-ons attached to your Heroku Shield application: 
heroku addons --app your-app-name
Typical mappings:
Heroku Add-onMigration Approach
Shield PostgresMigrate to Aptible-managed PostgreSQL
Shield RedisMigrate to Aptible-managed Redis
Logging add-ons (e.g., Papertrail)Configure log drains to your observability provider (no additional cost)
Email providersContinue using external provider and update credentials
Third-party servicesReconfigure networking and environment variables

Configuring endpoints and networking

In Heroku Shield, applications are exposed via the Heroku Router within a Private Space. In Aptible, applications are exposed through explicitly defined Endpoints.

Public Endpoints

If your application is publicly accessible:

Private Endpoints

If your Heroku Private Space uses internal routing between services:
  • Create Private Endpoints inside the Dedicated Stack
  • Update internal service URLs
  • Confirm security group or access configuration

Networking checklist

  • Review outbound IP requirements
  • Confirm third-party allowlists
  • Update webhook destinations if needed
  • Verify internal service-to-service communication
Networking differences are often the largest architectural shift when moving from Shield to a dedicated infrastructure model. Take time to review your requirements carefully.

Minimizing downtime during cutover

To reduce downtime and risk during migration, plan the final cutover carefully.
1

Deploy and validate in staging

Deploy and validate your application in Aptible staging. Perform database migration to staging and test thoroughly.
2

Lower DNS TTL

Lower DNS TTL at least 24 hours before cutover to enable faster DNS propagation.
3

Schedule maintenance window

Schedule a maintenance window if required for your application.
4

Take final backup

Take a final database backup immediately before cutover:
heroku pg:backups:capture --app your-app-name
5

Restore final backup

Restore the final backup to your Aptible production database.
6

Update environment variables

Update environment variables to point to the new database.
7

Switch DNS

Switch DNS to the Aptible Endpoint.
8

Monitor

Monitor logs, performance, and background workers.
Additional considerations:
  • If Redis is used as a job queue, pause workers before final backup
  • Confirm no writes occur between final backup and DNS switch
  • Keep the Heroku app available briefly as a fallback if necessary
After confirming stable traffic and application behavior, decommission your Heroku Shield resources.

Closing thoughts

For most teams, migrating from Heroku Shield to Aptible is a same-day process. The core steps are mapping your infrastructure, migrating your databases, and executing a cutover strategy with minimal disruption. Once complete, your regulated workloads run on a platform designed for security and compliance. If you need guidance during your migration, contact Aptible Support. White-glove migration services are also available for teams seeking hands-on assistance.