Automate schema migrations using DizzleORM and GitHub Actions - Manage thousands of tenants with this workflow
15.2kLog InSign Up

Neon Private Networking

Learn how to connect to your Neon database via AWS PrivateLink

Private Preview

This feature is currently accessible in Private Preview only.

The Neon Private Networking feature enables secure connections to your Neon databases via AWS PrivateLink, bypassing the open internet for enhanced security.

Overview

In a standard setup, the client application connects to a Neon database over the open internet via the Neon proxy.

With Neon Private Networking, you can connect to your database via AWS PrivateLink instead of the open internet. In this setup, the client application connects through an AWS endpoint service (provided by Neon) to a Neon proxy instance that is not accessible from the public internet. This endpoint service is available only within the same AWS region as your client application and is restricted to Neon-authorized customers. With Neon Private Networking, all traffic between the client application and the Neon database stays within AWS's private network, rather than crossing the public internet.

Neon Private Networking diagram

Prerequisites

Prerequisites

  • Ensure that your client application is deployed on AWS in the same region as the Neon database you plan to connect to. The Private Networking feature is available in all Neon-supported AWS regions. Both your private access client application and Neon database must be in one of these regions.
  • Add a VPC endpoint to the AWS Virtual Private Cloud (VPC) where your client application is deployed. The steps are outlined below.

Configuration steps

To configure Neon Private Networking, perform the following steps:

  1. Create an AWS VPC endpoint

    1. Go to the AWS VPC Dashboard and select Create endpoint. Make sure you create the endpoint in the same VPC as your client application.

      VPC Dashboard

    2. Optionally, enter a Name tag for the endpoint (e.g., My Neon Private Networking test).

    3. For Service category, select Other endpoint services.

    4. Specify the Service name. It must be one of the following names, depending on your region:

      • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-0ccf08d7888526333
      • us-east-2: com.amazonaws.vpce.us-east-2.vpce-svc-0fa555394e26593be
      • eu-central-1: com.amazonaws.vpce.eu-central-1.vpce-svc-0fa74d33d011f0803
      • us-west-2: com.amazonaws.vpce.us-west-2.vpce-svc-05948d7514bcd0733
      • ap-southeast-1: com.amazonaws.vpce.ap-southeast-1.vpce-svc-045649a6862891b1e
      • ap-southeast-2: com.amazonaws.vpce.ap-southeast-2.vpce-svc-08e19a71d9651bde1

      Select the endpoint service

    5. Click Verify service. If successful, you should see a Service name verified message.

    6. Select the VPC where your application is deployed.

    7. Add the availability zones and associated subnets you want to support.

    8. Click Create endpoint to complete the setup of the endpoint service.

  2. Provide the VPC Endpoint ID to Neon

    Note the VPC Endpoint ID and provide it to Neon. Neon will authorize this VPC Endpoint to access the Neon Private Networking service and will notify you once authorization is complete.

    note

    Please note that you must provide the VPC Endpoint ID, not the VPC ID. This step is specific to the Private Preview. In the final version, the allowed VPC Endpoint will be configured through the Neon Console without any manual involvement by Neon.

  3. Enable Private DNS

    After Neon authorizes your endpoint (wait for confirmation from Neon), enable private DNS lookup for the endpoint.

    1. In AWS, select the VPC endpoint you created.
    2. Choose Modify private DNS name.
    3. Select Enable for this endpoint.
    4. Save your changes. Enable private DNS

  4. Update the connection string

    To connect to your Neon database using AWS PrivateLink, modify your Neon database connection string to use the private endpoint.

    For example, if your original Neon database connection string is:

    postgresql://user:password@ep-testing-bush-12345.us-east-1.aws.neon.tech

    Update it to:

    postgresql://user:password@ep-testing-bush-12345.vpce.us-east-1.aws.neon.tech

    Notice that the updated connection string includes vpce in the hostname. This change will route database connections over AWS PrivateLink.

  5. Restrict public internet access

    At this point, it's still possible to connect to your Neon database over the public internet using the original Neon database connection string.

    To restrict public internet access via this connection string, use Neon's IP Allow feature in the Neon Console. For IP Allow configuration instructions, see Configure IP Allow.

    You can access your IP Allow configuration from your Neon's project's Settings page.

    Enter 0.0.0.0 in the allowlist to block all connections over the public internet, and click Save changes.

    note

    The Private Networking connection is not affected by this IP Allow configuration.

    Neon IP Allow configuration

    note

    Using the IP allowlist feature for blocking access from the public internet is only for the Private Preview. In the final version of this feature, there will be a dedicated option in the Neon Console for this purpose.

    Need help?

    Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more details, see Getting Support.

NextOur mission

Last updated on

Was this page helpful?