We've shipped a hosted version of our MCP server with OAuth
Docs/Features/Private Networking

Neon Private Networking

Learn how to connect to your Neon database via AWS PrivateLink

Private Networking availability

Private Networking is available on Neon's Business and Enterprise plans.

The Neon Private Networking feature enables secure connections to your Neon databases via AWS PrivateLink, bypassing the open internet for enhanced security.

Overview

In a standard setup, the client application connects to a Neon database over the open internet via the Neon proxy.

With Neon Private Networking, you can connect to your database via AWS PrivateLink instead of the open internet. In this setup, the client application connects through an AWS endpoint service (provided by Neon) to a Neon proxy instance that is not accessible from the public internet. This endpoint service is available only within the same AWS region as your client application. With Neon Private Networking, all traffic between the client application and the Neon database stays within AWS's private network, rather than crossing the public internet.

Neon Private Networking diagram

Prerequisites

  • You must be a Neon Business and Enterprise account user, and your user account must be Neon organization Admin account. You'll encounter an access error if you attempt the setup from a personal Neon account or on a Neon plan that does not offer Private Networking.
  • Ensure that your client application is deployed on AWS in the same region as the Neon database you plan to connect to. The Private Networking feature is available in all Neon-supported AWS regions. Both your private access client application and Neon database must be in one of these regions.
  • Install the Neon CLI. You will use it to add your VPC endpoint ID to your Neon organization. For installation instructions, see Neon CLI — Install and connect.

Configuration steps

To configure Neon Private Networking, perform the following steps:

  1. Create an AWS VPC endpoint

    important

    Do not enable private DNS names for the VPC endpoint until Step 3. You must add the VPC endpoint to your Neon organization first, as described in Step 2.

    1. Go to the AWS VPC > Endpoints dashboard and select Create endpoint. Make sure you create the endpoint in the same VPC as your client application.

      VPC Dashboard

    2. Optionally, enter a Name tag for the endpoint (e.g., My Neon Private Networking).

    3. For Type, select the Endpoint services that use NLBs and GWLBs category.

      VPC Create endpoint

    4. Under Service settings, specify the Service name. It must be one of the following serice names, depending on your region:

      • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-0de57c578b0e614a9
      • us-east-2: com.amazonaws.vpce.us-east-2.vpce-svc-010736480bcef5824
      • eu-central-1: com.amazonaws.vpce.eu-central-1.vpce-svc-05554c35009a5eccb
      • us-west-2: com.amazonaws.vpce.us-west-2.vpce-svc-060e0d5f582365b8e
      • ap-southeast-1: com.amazonaws.vpce.ap-southeast-1.vpce-svc-07c68d307f9f05687
      • ap-southeast-2: com.amazonaws.vpce.ap-southeast-2.vpce-svc-031161490f5647f32
    5. Click Verify service. If successful, you should see a Service name verified message.

      VPC Create endpoint

      If not successful, ensure that your service name matches the region where you're creating the VPC endpoint.

    6. Select the VPC where your application is deployed.

    7. Add the availability zones and associated subnets you want to support.

    8. Click Create endpoint to complete the setup of the endpoint service.

      VPC Create endpoint

    9. Note your VPC Endpoint ID. You will need it in the next step.

      VPC Create endpoint

  2. Add your VPC Endpoint ID to your Neon organization

    Assign your VPC Endpoint ID to your Neon organization. You can do this using the Neon CLI or API.

    note

    Please note that you must assign the VPC Endpoint ID, not the VPC ID.

    In the following example, the VCP endpoint ID is assigned to a Neon organization in the specified AWS region using the neon vpc endpoint command.

    neon vpc endpoint assign vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 --region-id aws-us-east-2

    You can find your Neon organization ID in your Neon organization settings, or you can run this Neon CLI command: neon orgs list

    Optionally, you can limit access to a Neon project by allowing connections only from a specific VPC endpoint. For instructions, see Assigning a VPC endpoint restrictions.

  3. Enable Private DNS

    After adding your VPC endpoint ID to your Neon organization, enable private DNS lookup for the VPC endpoint in AWS.

    1. In AWS, select the VPC endpoint you created.
    2. Choose Modify private DNS name.
    3. Select Enable for this endpoint.
    4. Save your changes. Enable private DNS
  4. Check your database connection string

    Your Neon database connection string does not change when using Private Networking.

    To verify that your connection is working correctly, you can perform a DNS lookup on your Neon endpoint hostname from within your AWS VPC. It should resolve to the private IP address of the VPC endpoint.

    For example, if your Neon database connection string is:

    postgresql://alex:AbC123dEf@ep-cool-darkness-123456.us-east-2.aws.neon.tech/dbname

    You can run the following command from an EC2 instance inside your AWS VPC:

    nslookup ep-cool-darkness-123456.us-east-2.aws.neon.tech
  5. Restrict public internet access

    At this point, it's still possible to connect to a database in your Neon project over the public internet using a database connection string.

    You can restrict public internet access to your Neon project via the Neon CLI or API.

    To block access via the Neon CLI, use the neon projects update command with the --block-public-connections option.

    neon projects update orange-credit-12345678 --block-vpc-connections true

    In the example above, orange-credit-12345678 is the Neon project ID. You can find your Neon project ID under your project's settings in the Neon Console, or by running this Neon CLI command: neon projects list

Assigning a VPC endpoint restriction

You can limit access to a Neon project by allowing connections only from specified VPC endpoints. Use the Neon CLI or API to set a restriction.

You can specify a CLI command similar to the following to restrict project access:

neon vpc project restrict vpce-1234567890abcdef0 --project-id orange-credit-12345678

You will need to provide the VPC endpoint ID and your Neon project ID. You can find your Neon project ID under your project's settings in the Neon Console, or by running this Neon CLI command: neon projects list

After adding a restriction, you can check the status of the VPC endpoint to view the restricted project using the vpc endpoint status` command. You will need to provide your VPC endpoint ID, region ID, and Neon organization ID.

neonctl vpc endpoint status vpce-1234567890abcdef0 --region-id=aws-eu-central-1 --org-id=org-nameless-block-72040075
┌────────────────────────┬───────┬─────────────────────────┬─────────────────────────────┐
 Vpc Endpoint Id State Num Restricted Projects Example Restricted Projects
├────────────────────────┼───────┼─────────────────────────┼─────────────────────────────┤
 vpce-1234567890abcdef0 new 1 orange-credit-12345678
└────────────────────────┴───────┴─────────────────────────┴─────────────────────────────┘

Managing Private Networking using the Neon CLI

You can use the Neon CLI vpc command to manage Private Networking configurations in Neon.

The vpc command includes endpoint and project subcommands for managing VPC endpoints and project-level VPC endpoint restrictions:

  • vpc endpoint – List, assign, remove, and retrieve the status of VPC endpoints for a Neon organization.
  • vpc project – List, configure, or remove VPC endpoint restrictions for specific Neon projects.

For more details and examples, see Neon CLI commands — vpc.

Managing Private Networking using the Neon API

The Neon API provides endpoints for managing VPC endpoints and project-level VPC endpoint restrictions:

APIs for managing VPC endpoints

APIs for managing VPC endpoint restrictions

Private Networking limits

The Private Networking feature supports a maximum of 10 private networking configurations per AWS region. Supported AWS regions are listed above.

Limitations

If you remove a VPC endpoint from a Neon organization, that VPC endpoint cannot be added back to the same Neon organization. Attempting to do so will result in an error. In this case, you must set up a new VPC endpoint.

Need help?

Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more details, see Getting Support.

Last updated on

Was this page helpful?