Neon Private Networking

The Neon Private Networking feature enables secure connections to your Neon databases via AWS PrivateLink, bypassing the open internet for enhanced security.

Overview

In a standard setup, the client application connects to a Neon database over the open internet via the Neon proxy.

With Neon Private Networking, you can connect to your database via AWS PrivateLink instead of the open internet. In this setup, the client application connects through an AWS endpoint service (provided by Neon) to a Neon proxy instance that is not accessible from the public internet. This endpoint service is available only within the same AWS region as your client application. With Neon Private Networking, all traffic between the client application and the Neon database stays within AWS's private network, rather than crossing the public internet.

Prerequisites

• You must be a Neon Business and Enterprise account user, and your user account must be Neon organization Admin account. You'll encounter an access error if you attempt the setup from a personal Neon account or on a Neon plan that does not offer Private Networking.
• Ensure that your client application is deployed on AWS in the same region as the Neon database you plan to connect to. The Private Networking feature is available in all Neon-supported AWS regions. Both your private access client application and Neon database must be in one of these regions.
• Install the Neon CLI. You will use it to add your VPC endpoint ID to your Neon organization. For installation instructions, see Neon CLI — Install and connect.

Configuration steps

To configure Neon Private Networking, perform the following steps:

1. Create an AWS VPC endpoint

   1. Go to the AWS VPC > Endpoints dashboard and select Create endpoint. Make sure you create the endpoint in the same VPC as your client application.

      

   2. Optionally, enter a Name tag for the endpoint (e.g., My Neon Private Networking).

   3. For Type, select the Endpoint services that use NLBs and GWLBs category.

      

   4. Under Service settings, specify the Service name. It must be one of the following serice names, depending on your region:

      • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-0de57c578b0e614a9
      • us-east-2: com.amazonaws.vpce.us-east-2.vpce-svc-010736480bcef5824
      • eu-central-1: com.amazonaws.vpce.eu-central-1.vpce-svc-05554c35009a5eccb
      • us-west-2: com.amazonaws.vpce.us-west-2.vpce-svc-060e0d5f582365b8e
      • ap-southeast-1: com.amazonaws.vpce.ap-southeast-1.vpce-svc-07c68d307f9f05687
      • ap-southeast-2: com.amazonaws.vpce.ap-southeast-2.vpce-svc-031161490f5647f32

   5. Click Verify service. If successful, you should see a Service name verified message.

      

      If not successful, ensure that your service name matches the region where you're creating the VPC endpoint.

   6. Select the VPC where your application is deployed.

   7. Add the availability zones and associated subnets you want to support.

   8. Click Create endpoint to complete the setup of the endpoint service.

      

   9. Note your VPC Endpoint ID. You will need it in the next step.

      

2. Add your VPC Endpoint ID to your Neon organization

   Assign your VPC Endpoint ID to your Neon organization. You can do this using the Neon CLI or API.

   note

   Please note that you must assign the VPC Endpoint ID, not the VPC ID.

   CLIAPI

   In the following example, the VCP endpoint ID is assigned to a Neon organization in the specified AWS region using the neon vpc endpoint command.

   neon vpc endpoint assign vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 --region-id aws-us-east-2

   You can find your Neon organization ID in your Neon organization settings, or you can run this Neon CLI command: neon orgs list

   Optionally, you can limit access to a Neon project by allowing connections only from a specific VPC endpoint. For instructions, see Assigning a VPC endpoint restrictions.

3. Enable Private DNS

   After adding you VPC endpoint ID to your Neon organization, enable private DNS lookup for the VPC endpoint in AWS.

   1. In AWS, select the VPC endpoint you created.
   2. Choose Modify private DNS name.
   3. Select Enable for this endpoint.
   4. Save your changes.

4. Check your database connection string

   Your Neon database connection string does not change when using Private Networking.

   To verify that your connection is working correctly, you can perform a DNS lookup on your Neon endpoint hostname from within your AWS VPC. It should resolve to the private IP address of the VPC endpoint.

   For example, if your Neon database connection string is:

   postgresql://alex:AbC123dEf@ep-cool-darkness-123456.us-east-2.aws.neon.tech/dbname

   You can run the following command from an EC2 instance inside your AWS VPC:

   nslookup ep-cool-darkness-123456.us-east-2.aws.neon.tech

5. Restrict public internet access

   At this point, it's still possible to connect to a database in your Neon project over the public internet using a database connection string.

   You can restrict public internet access to your Neon project via the Neon CLI or API.

   CLIAPI

   To block access via the Neon CLI, use the neon projects update command with the --block-public-connections option.

   neon projects update orange-credit-12345678 --block-vpc-connections true

   In the example above, orange-credit-12345678 is the Neon project ID. You can find your Neon project ID under your project's settings in the Neon Console, or by running this Neon CLI command: neon projects list

Assigning a VPC endpoint restriction

You can limit access to a Neon project by allowing connections only from specified VPC endpoints. Use the Neon CLI or API to set a restriction.

neon vpc project restrict vpce-1234567890abcdef0 --project-id orange-credit-12345678

neonctl vpc endpoint status vpce-1234567890abcdef0 --region-id=aws-eu-central-1 --org-id=org-nameless-block-72040075
┌────────────────────────┬───────┬─────────────────────────┬─────────────────────────────┐
│ Vpc Endpoint Id        │ State │ Num Restricted Projects │ Example Restricted Projects │
├────────────────────────┼───────┼─────────────────────────┼─────────────────────────────┤
│ vpce-1234567890abcdef0 │ new   │ 1                       │ orange-credit-12345678      │
└────────────────────────┴───────┴─────────────────────────┴─────────────────────────────┘

Managing Private Networking using the Neon CLI

You can use the Neon CLI vpc command to manage Private Networking configurations in Neon.

The vpc command includes endpoint and project subcommands for managing VPC endpoints and project-level VPC endpoint restrictions:

• vpc endpoint – List, assign, remove, and retrieve the status of VPC endpoints for a Neon organization.
• vpc project – List, configure, or remove VPC endpoint restrictions for specific Neon projects.

For more details and examples, see Neon CLI commands — vpc.

Managing Private Networking using the Neon API

The Neon API provides endpoints for managing VPC endpoints and project-level VPC endpoint restrictions:

APIs for managing VPC endpoints

• List VPC endpoints
• Assign or update a VPC endpoint
• Retrieve VPC endpoint configuration details
• Delete a VPC endpoint

APIs for managing VPC endpoint restrictions

• Get VPC endpoint restrictions
• Assign or update a VPC endpoint restriction
• Delete a VPC endpoint restriction

Limits

The Private Networking feature supports a maximum of 10 private networking configurations per AWS region. Supported AWS regions are listed above.