Restrict Access to Your Neon Database with IP Allow
An extra level of security to safeguard your databases
Neon provides you with fully hosted and managed PostgreSQL instances. These instances have advanced branching and autoscaling features and are accessible using a connection string and a secure password.
We understand that having multiple layers of security in place is essential to safeguard your data. Implementing IP address restrictions is often part of a comprehensive security strategy, especially for businesses handling sensitive data or operating under strict regulatory environments.
Therefore, we’d like to introduce our newest security enhancement: IP Allow. This feature is available for customers signed up for the Neon Pro Plan.
Restricting Access to Your Branch by IP
Neon’s Postgres offering requires passwords to have at least 60 bits of entropy, providing a solid first layer of defense against unauthorized access. The IP Allow feature provides an extra level of verification and access control.
For example, restricting access to a range of known IP addresses decreases the possibility of data breaches caused by common attack vectors, such as phishing. This is because even if an attacker obtains credentials to access your database, those credentials will be useless unless the attacker can connect from an IP address on the allowlist.
To start using the IP Allow feature, head to the Neon console and create a new project or select an existing one.
From the project Dashboard, use the Connection Details to obtain a connection string for your preferred runtime or tooling. This post will be using psql
for demonstration purposes.
Verify that you can use the psql
command to connect to the database and run a query such as SELECT datname FROM pg_database
. A list of the available databases will be returned. Use the \q
command to exit the psql
process.
Anyone with the psql
command’s connection string can access your database from any network. To lock down your database to a specific IP or range of IPs, return to the Neon console and visit the Settings screen of your project. Enter a random IP address, e.g. 127.0.0.1
in the IP Allow section, and click the Apply changes button.
Try entering your psql
connection command again. Instead of being granted access to your Postgres instance, you will receive an error message stating, “This IP address is not allowed to connect to this endpoint”.
Visit a site such as ipinfo.io to obtain your public IP address, then replace the previously entered value with your IP address in the IP Allow section. Click the Apply changes button, then rerun the psql
command. You should be able to connect to your database since you’re connecting from an allowed IP address. Attempts to connect from a different IP address will fail.
Conclusion
Now you can restrict access to your Neon database’s branches using the IP Allow feature. You can read more about IP Allow in the documentation. Join us on our Discord server if you’d like to share your feedback and ideas or to hang out.