diff --git a/manifests/dev/deployment.yml b/manifests/dev/deployment.yml
index ddc65b101..516f7b266 100644
--- a/manifests/dev/deployment.yml
+++ b/manifests/dev/deployment.yml
@@ -42,6 +42,10 @@ spec:
         image: uisacr.azurecr.io/pgbouncer:latest
         ports:
         - containerPort: 5432
+        volumeMounts:
+        - mountPath: /etc/pgbouncer/client_root_ca.crt
+          name: semesterly-az-postgres-tls-root-ca
+          subPath: client_root_ca.crt
         resources:
           requests:
             cpu: 100m
@@ -78,7 +82,9 @@ spec:
             - name: AUTH_TYPE
               value: plain
             - name: SERVER_TLS_SSLMODE
-              value: disable
+              value: verify-ca
+            - name: PGBOUNCER_CLIENT_TLS_CA_FILE
+              value: "/etc/pgbouncer/client_root_ca.crt"
             - name: MAX_CLIENT_CONN
               value: "10000"
             - name: DEFAULT_POOL_SIZE
@@ -180,3 +186,8 @@ spec:
                 secretKeyRef:
                   name: semesterly-secrets
                   key: JHU_JWT_AUTH_SECRET
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: semesterly-az-postgres-tls-root-ca.crt
+        name: semesterly-az-postgres-tls-root-ca
\ No newline at end of file
diff --git a/manifests/prod/deployment.yml b/manifests/prod/deployment.yml
index e19183083..919304926 100644
--- a/manifests/prod/deployment.yml
+++ b/manifests/prod/deployment.yml
@@ -43,6 +43,10 @@ spec:
         image: uisacr.azurecr.io/pgbouncer:latest
         ports:
         - containerPort: 5432
+        volumeMounts:
+        - mountPath: /etc/pgbouncer/client_root_ca.crt
+          name: semesterly-az-postgres-tls-root-ca
+          subPath: client_root_ca.crt
         resources:
           requests:
             cpu: 500m
@@ -78,7 +82,9 @@ spec:
             - name: AUTH_TYPE
               value: plain
             - name: SERVER_TLS_SSLMODE
-              value: allow
+              value: verify-ca
+            - name: PGBOUNCER_CLIENT_TLS_CA_FILE
+              value: "/etc/pgbouncer/client_root_ca.crt"
             - name: MAX_CLIENT_CONN
               value: "10000"
             - name: DEFAULT_POOL_SIZE
@@ -180,3 +186,8 @@ spec:
                 secretKeyRef:
                   name: semesterly-secrets
                   key: JHU_JWT_AUTH_SECRET
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: semesterly-az-postgres-tls-root-ca.crt
+        name: semesterly-az-postgres-tls-root-ca
\ No newline at end of file
diff --git a/manifests/stage/deployment.yml b/manifests/stage/deployment.yml
index 9cea5f3bf..924a7ea7e 100644
--- a/manifests/stage/deployment.yml
+++ b/manifests/stage/deployment.yml
@@ -43,6 +43,10 @@ spec:
         image: uisacr.azurecr.io/pgbouncer:latest
         ports:
         - containerPort: 5432
+        volumeMounts:
+        - mountPath: /etc/pgbouncer/client_root_ca.crt
+          name: semesterly-az-postgres-tls-root-ca
+          subPath: client_root_ca.crt
         resources:
           requests:
             cpu: 100m
@@ -79,7 +83,9 @@ spec:
             - name: AUTH_TYPE
               value: plain
             - name: SERVER_TLS_SSLMODE
-              value: disable
+              value: verify-ca
+            - name: PGBOUNCER_CLIENT_TLS_CA_FILE
+              value: "/etc/pgbouncer/client_root_ca.crt"
             - name: MAX_CLIENT_CONN
               value: "10000"
             - name: DEFAULT_POOL_SIZE
@@ -181,3 +187,8 @@ spec:
                 secretKeyRef:
                   name: semesterly-secrets
                   key: JHU_JWT_AUTH_SECRET
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: semesterly-az-postgres-tls-root-ca.crt
+        name: semesterly-az-postgres-tls-root-ca
\ No newline at end of file