Prevent public database access (AWS RDS with Vercel)
I currently have a database setup on AWS RDS that I connect to from my app hosted on Vercel. However from this article - https://vercel.com/guides/how-to-allowlist-deployment-ip-address Vercel suggests that I keep my security rules open for all connections (0.0.0.0). This seems like a great security risk even if my database is not that large yet. Do I have to decouple my backend and put it in an EC2 instance and abandon backend type safety for that reason alone?
Vercel Documentation
How do I identify my Vercel deployment IP address?
Information on how to handle IP allowlisting for a Vercel deployment.
7 Replies
If I understand your question correctly, you’ll want to keep your security rules at 0.0.0.0 for your Vercel deployment. This is so that any IP address is able to access your app.
Your RDS instance, on the other hand, you’ll probably want to lock down a bit more. At my job, we typically keep RDS instances restricted to only the IP of the app that needs to access it and maybe a few additional IPs (for developers, etc.).
I’m not sure how experienced you are with deployments and security, but typically your frontend/app has much more loose security than your backend/db. If you lock your frontend down to only certain IPs, then no one will be able to access your site and I doubt that is what you’re aiming for. 0.0.0.0 typically means “any IP”, so that is probably why it is the recommended default for Vercel.
Your RDS instance, on the other hand, you’ll probably want to lock down a bit more. At my job, we typically keep RDS instances restricted to only the IP of the app that needs to access it and maybe a few additional IPs (for developers, etc.).
I’m not sure how experienced you are with deployments and security, but typically your frontend/app has much more loose security than your backend/db. If you lock your frontend down to only certain IPs, then no one will be able to access your site and I doubt that is what you’re aiming for. 0.0.0.0 typically means “any IP”, so that is probably why it is the recommended default for Vercel.
I’ve typically worked with databases either not managed by me or in an app where everything is in one cluster, not worrying about security. I definitely have little experience with security and firewalls and my understanding right now is that if I set my database access to 0.0.0.0 (every IP) anyone would be able to try and access it. As secure as I make my password or change it every week or so I fear that eventually someone is going to access the database. Since I will be working with personal data and I live in Europe I’m afraid of risking fines and potential breaches if the database gets attacked. So maybe I’m not completely understanding the problem but I just want to make sure that in the future this will not be a major security issue. (of course there are many other things I need to worry about)
First of all I would recommend you don't use AWS since it's quite expensive for any service you use 😂 and instead use maybe something like PlanetScale who are better IMO.
Secondly, I don't know if you have to configure some other security details on RDS, but even if you only create a password it should be safe enough. I'm sure AWS is doing a pretty good job of protecting their data and servers. And since your password will only be used on your backend, you don't need to worry too much.
e.g. you can use this command to generate a secure pass which needs like a hundred years to decrypt...
And much better than that you won't get no matter what DB you use... unless you manage your own infra, but that's another set of problems altogether.
Haha I would love to manage my own infra but I’m far away from that so for now I will just have to settle with the thousands of solutions far smarter people than me have built.
Thank you so much for the clarification! I think I will go will try with Neon for this stage because it looks promising and I want be able to capture some of Postgres features that unfortunately planet scale doesn’t offer and their pricing sounds MUCH better than AWS 😂
Look into DigitalOcean managed databases then. There is a bit more setup, and at the beginning it's a bit more expensive... but it's still better than AWS that gets exponentially more expensive as you have more users 👍
Good luck
AWS maybe expensive but experience with AWS is very valuable. If can get good at AWS it’s lucrative.
If you need to expose the db to 0.0.0.0 a WAF or Firewall can be used to protect the db from attack but can be a bit complicated to setup and configure. A good long password with maybe a non-default port is probably good enough for a small site.
Sounds promising, I will definitely look into that since it is supposed to be a <1000 users a month website for now anyway. Thanks for the heads up