February 09, 2022
Enabling static egress IPs in the Prisma Data Platform
We're launching Early Access support for static egress IPs. Keep your databases secure by ensuring that the Prisma Data Platform only connects to your database from specific IPs. Try it out and share your feedback.
Keeping your database secure
When building database-backed applications, keeping your database secure is of utmost importance. Databases typically contain sensitive information and personal user data. As a developer or company, it's your responsibility to ensure you have taken measures to keep your database secure to prevent unauthorized access.
For this reason, it is common practice to take a layered approach to database security, whereby you layer defenses and protection mechanisms on top of each other to protect your database.
For example, projects using a database likely employ several layers of security defenses:
- Password or mutual TLS authentication.
- Firewall and IP allowlists to only allow database access from known hosts.
- Isolating database access from public internet with private networking and VPCs.
- Principle of least privilege whereby each entity/component (person, service account) has the minimum necessary access rights to perform its purpose.
- TLS (Transport Layer Security) ensures that all traffic is encrypted.
By layering defenses, you protect your database from different attack vectors and minimize the risk of a breach.
Database security in the Prisma Data Platform
The Prisma Data Platform comes with tools to build and collaborate on database-driven applications. The Data Browser, Query Console, and the Data Proxy all rely on access to your database.
Previously, the Data Platform relied solely on authentication as the security layer for your database. When creating a project in the Prisma Data Platform, you pass a database connection string that includes the authentication details (username and password) that the Platform uses to connect to your database.
After gathering feedback from Prisma users, we learned that many could not adopt the Prisma Data Platform due to security constraints.
Because the IPs from which the Data Platform connects to your database are dynamic by default and can change, you would have to open up your database to the public internet – a big no-no in most situations.
Moreover, cloud providers like Google Cloud have strict security defaults that prevent public internet access to Cloud SQL databases without configuring authorized networks from which the database can be accessed.
Improving security with static egress IPs
At Prisma, we take security seriously, which is why we are excited to launch Early Access support for static egress IPs.
Most cloud database providers provide a way to restrict database access to a set of known origin public IP addresses.
With static egress IPs enabled, you get a list of IPs that the Prisma Data Platform exclusively uses to connect to your database. It allows you to connect the Prisma Data Platform to databases that prevent public internet access by adding the static egress IPs to the database firewall's allow list.
Static egress IPs work seamlessly across all Data Platform features: data browser, query console, and data proxy.
You can enable static egress IPs for new and existing projects can use their databases with the Prisma Data Platform with static egress IPs while keeping databases protected from the public internet.
Note: IP addresses are specific to the region where the data proxy is configured. Changing the region of the Data Proxy will change the IPs for egress and will thus require a change of the IP allow list on your provider
Enabling static egress IPs
You can enable static egress IPs per environment in both new and existing projects.
Try the Prisma Data Platform
For new projects
You will be prompted with an option to enable static IPs when configuring an environment in the project creation flow:
For an existing environment
To enable static egress IPs, choose a project in the Data Platform, go to the environment settings, and enable static IPs:
Learn more about the feature in the docs
Static egress IPs in the Prisma Data Platform should help more users adopt the Prisma Data Platform while keeping their database secure.
However, our efforts do not end there; we are actively investigating additional authentication mechanisms like self-managed TLS certificates for database connections.
To keep up to date with the latest changes in the Prisma Data Platform, check out the changelog.
To get a glimpse into our current priorities and upcoming features, check out our public roadmap.
Try the static egress IPs and share your feedback
Since the static egress IPs is in Early Access, we don't recommend using it in production.
📫 Help us improve the Prisma Data Platform by sharing feedback, issues, bugs, and questions with us using the green Intercom button on the bottom right corner of the Prisma Data Platform.
🌍 Join us on our Slack in the
#prisma-data-platform channel for help.