Protected branches
Learn how to use Neon's protected branches feature to secure your critical data
Neon's protected branches feature implements a series of protections:
- Protected branches cannot be deleted.
- Protected branches cannot be reset.
- Projects with protected branches cannot be deleted.
- Computes associated with a protected branch cannot be deleted.
- New passwords are automatically generated for Postgres roles on branches created from protected branches. See below.
- With additional configuration steps, you can apply IP Allow restrictions to protected branches only. The IP Allow feature is available on the Neon Scale and Business plans. See below.
The protected branches feature is available on all Neon paid plans.
Set a branch as protected
This example sets a single branch as protected, but you can have up to 5 protected branches.
To set a branch as protected:
-
In the Neon Console, select a project.
-
Select Branches to view the branches for the project.
-
Select a branch from the table. In this example, we'll configure our default branch
main
as a protected branch. -
On the branch page, click the Actions drop-down menu and select Set as protected.
-
In the Set as protected confirmation dialog, click Set as protected to confirm your selection.
Your branch is now designated as protected, as indicated by the protected branch shield icon, shown below.
The protected branch designation also appears on your Branches page.
New passwords generated for Postgres roles on child branches
When you create a branch in Neon, it includes all Postgres databases and roles from the parent branch. By default, Postgres roles on the child branch will have the same passwords as on the parent branch. However, this does not apply to protected branches. When you create a child branch from a protected branch, new passwords are generated for the matching Postgres roles on the child branch.
This behavior is designed to prevent the exposure of passwords that could be used to access your protected branch. For example, if you have designated a production branch as protected, the automatic password change for child branches ensures that you can create child branches for development or testing without risking access to data on your production branch.
Please note that resetting or restoring a child branch from a protected parent branch preserves passwords for matching Postgres roles on the child branch. Please refer to the feature notes below for more.
Feature notes
- The "new password" feature for child branches was released on July, 31, 2024. If you have existing CI scripts that create branches from protected branches, please be aware that passwords for matching Postgres roles on those newly created branches will now differ. If you depend on those passwords being the same, you'll need to make adjustments to get the correct connection details for those branches.
- After a branch is created, the up-to-date connection string is returned in the output of the Create Branch GitHub Action.
- The Reset Branch GitHub Action also outputs connection string values, in case you are using this action in your workflows.
- The Neon CLI supports a connection-string command for retrieving a branch's connection string.
- Prior to September, 6, 2024, resetting or restoring a child branch from a protected parent branch restored passwords for matching Postgres roles on the child branch to those used on the protected parent branch. As of September, 6, 2024, passwords for matching Postgres roles on the child branch are preserved when resetting or restoring a child branch from a protected parent branch.
How to apply IP restrictions to protected branches
On Neon's Business plan, you can use the protected branches feature in combination with Neon's IP Allow feature to apply IP access restrictions to protected branches only. The basic setup steps are:
- Define an IP allowlist for your project
- Restrict IP access to protected branches only
- Set a branch as protected (if you have not done so already)
Define an IP allowlist for your project
For details about specifying IP addresses, see How to specify IP addresses.
Restrict IP access to protected branches only
After defining an IP allowlist, the next step is to select the Restrict access to protected branches only option.
This option removes IP restrictions from all branches in your Neon project and applies them to protected branches only.
After you've selected the protected branches option, click Save changes to apply the new configuration.
Remove branch protection
Removing a protected branch designation can be performed by selecting Set as unprotected from the Actions menu on the branch page.
Need help?
Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more details, see Getting Support.