Neon Private Networking
betaLearn how to connect to your Neon database via AWS PrivateLink
The Neon Private Networking feature enables secure connections to your Neon databases via AWS PrivateLink, bypassing the open internet for enhanced security.
Public Beta
This feature is in Public Beta. Any member of a Neon Organization account can apply to participate in this Public Beta by requesting access via the Organization Settings page in the Console. Please note that Neon will enable billing for the feature at the end of the Public Beta period.
Overview
In a standard setup, the client application connects to a Neon database over the open internet via the Neon proxy.
With Neon Private Networking, you can connect to your database via AWS PrivateLink instead of the open internet. In this setup, the client application connects through an AWS endpoint service (provided by Neon) to a Neon proxy instance that is not accessible from the public internet. This endpoint service is available only within the same AWS region as your client application and is restricted to Neon-authorized customers. With Neon Private Networking, all traffic between the client application and the Neon database stays within AWS's private network, rather than crossing the public internet.
Prerequisites
- Ensure that your client application is deployed on AWS in the same region as the Neon database you plan to connect to. The Private Networking feature is available in all Neon-supported AWS regions. Both your private access client application and Neon database must be in one of these regions.
- Add a VPC endpoint to the AWS Virtual Private Cloud (VPC) where your client application is deployed. The steps are outlined below.
Configuration steps
To configure Neon Private Networking, perform the following steps:
-
Create an AWS VPC endpoint
-
Go to the AWS VPC Dashboard and select Create endpoint. Make sure you create the endpoint in the same VPC as your client application.
-
Optionally, enter a Name tag for the endpoint (e.g.,
My Neon Private Networking test
). -
For Service category, select Other endpoint services.
-
Specify the Service name. It must be one of the following names, depending on your region:
- us-east-1:
com.amazonaws.vpce.us-east-1.vpce-svc-0ccf08d7888526333
- us-east-2:
com.amazonaws.vpce.us-east-2.vpce-svc-0fa555394e26593be
- eu-central-1:
com.amazonaws.vpce.eu-central-1.vpce-svc-0fa74d33d011f0803
- us-west-2:
com.amazonaws.vpce.us-west-2.vpce-svc-05948d7514bcd0733
- ap-southeast-1:
com.amazonaws.vpce.ap-southeast-1.vpce-svc-045649a6862891b1e
- ap-southeast-2:
com.amazonaws.vpce.ap-southeast-2.vpce-svc-08e19a71d9651bde1
- us-east-1:
-
Click Verify service. If successful, you should see a
Service name verified
message. -
Select the VPC where your application is deployed.
-
Add the availability zones and associated subnets you want to support.
-
Click Create endpoint to complete the setup of the endpoint service.
-
-
Provide the VPC Endpoint ID to Neon
Note the VPC Endpoint ID and provide it to Neon. Neon will authorize this VPC Endpoint to access the Neon Private Networking service and will notify you once authorization is complete.
note
Please note that you must provide the VPC Endpoint ID, not the VPC ID. This step is specific to the Private Preview. In the final version, the allowed VPC Endpoint will be configured through the Neon Console without any manual involvement by Neon.
-
Enable Private DNS
After Neon authorizes your endpoint (wait for confirmation from Neon), enable private DNS lookup for the endpoint.
- In AWS, select the VPC endpoint you created.
- Choose Modify private DNS name.
- Select Enable for this endpoint.
- Save your changes.
-
Update the connection string
To connect to your Neon database using AWS PrivateLink, modify your Neon database connection string to use the private endpoint.
For example, if your original Neon database connection string is:
Update it to:
Notice that the updated connection string includes
vpce
in the hostname. This change will route database connections over AWS PrivateLink. -
Restrict public internet access
At this point, it's still possible to connect to your Neon database over the public internet using the original Neon database connection string.
To restrict public internet access via this connection string, use Neon's IP Allow feature in the Neon Console. For IP Allow configuration instructions, see Configure IP Allow.
You can access your IP Allow configuration from your Neon's project's Settings page.
Enter 0.0.0.0 in the allowlist to block all connections over the public internet, and click Save changes.
note
The Private Networking connection is not affected by this IP Allow configuration.
note
Using the IP allowlist feature for blocking access from the public internet is only for the Private Preview. In the final version of this feature, there will be a dedicated option in the Neon Console for this purpose.
Limits
The Private Networking feature supports a maximum of 10 private networking configurations per AWS region. Supported AWS regions are listed in the preceding section.
Need help?
Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more details, see Getting Support.