Teams switch from Aurora Serverless to Neon for better performance and 80% less costs. Read more
Company

Restrict access to the production branch 

You can now set up branches as “protected”, so they can’t be accessed or altered by unauthorized devs

Post image

Via database branching workflows, developers can quickly experiment and ship updates—this is why we often hear how Neon accelerates development for teams. But it can be nerve-wracking to think that you might accidentally delete the production branch or project.

To give you peace of mind, we’ve implemented protected branches in Neon. By designating a branch as protected, you’ll enforce specific restrictions regarding access and usability, preventing any accidents and limiting access to allowlisted IP lists and networks.

How protected branches are different from regular branches 

Once you set a branch to protected, you’ll enforce a set of rules regarding access control and operational restrictions:

  • Protected branches cannot be deleted or reset. This safeguards critical data from potential accidents. Similarly, projects containing protected branches cannot be deleted, nor can compute endpoints associated with protected branches.
  • Only authorized IP addresses can connect to protected branches. Access to these branches can be limited to the specific IP addresses defined in the project’s IP allowlist. This ensures that only connections from your protected, e.g. production networks can be established to these branches. 

Coming soon: We’ll enhance protected branches by ensuring the production branch credentials aren’t reused in dev and testing branches. Sign up for our Early Access list if you’d like to test it first.

When to protect your branch 

It’s good practice to enable branch protection for all your production branches, as well as any other branches critical to the workflow (e.g., staging).

Here are some reasons why you might want to do this:

Preventing accidental deletions or resets

When things are moving fast in the development process, there’s always a risk of accidental deletions or resets of important branches. By protecting your branch, you eliminate this possibility, giving you peace of mind against accidents with major consequences. 

Maintaining compliance

Some data regulations enforce access controls and audit trails—you might want to ensure that only allowed sources from internal networks have access to customer data in production.

Safeguarding staging environments

Protecting the staging branch is also a good idea. This ensures that only trusted team members can access and modify this environment, preventing changes that could lead to inconsistencies between staging and production.

How to protect a branch in Neon

First, select which branches within the project will have the protected status: 

  • Navigate to the Branches page. 
  • Choose the branch to protect, click the Actions drop-down menu, and select Set as protected.

This will make it so it’s not possible to delete this branch. Then, optionally, you can configure IP Allow for your project, if you also want to restrict access to specific IP addresses:

  • In the Neon console, go to Project settings. 
  • Select IP Allow, and specify the IP addresses to permit.
  • Save changes.

Done. Your branch will show as protected; only clients from allowlisted IP addresses and networks will be able to connect to it, and you won’t be able to delete or reset it unless the protected status is first revoked. 

Visit our docs for detailed instructions.

Now available in the Scale plan

Branch protection is a feature available in the Neon Scale plan, which offers full platform access for scaling production workloads, with priority support and up to 500 branches per project. If you don’t yet have a Neon account, you can also get started with our Free tier.