Network Security
VeloDB Cloud warehouses can be reached over the public network with an IP allowlist or privately over PrivateLink. This guide explains the security model behind each access method so you can decide how to expose a warehouse to your applications and clients.
For the step-by-step connection workflow, use Connection.
Access Methods
VeloDB Cloud warehouses can be reached over two network paths:
| Access method | When to use it | Main security control | Operational page |
|---|---|---|---|
| Public network | Quick start, development, ad-hoc access, or environments without a VPC. | IP allowlist. | Connection |
| PrivateLink | Production access from inside your own VPC. | Private endpoint connectivity across cloud-provider private networking. | Connection |
Most production workloads use PrivateLink. Public Link is available for simpler access patterns and should be restricted with an IP allowlist.
Public Link And IP Allowlist
On the warehouse Connection page, switch to the Public Link tab to manage the public-network connection.
To access the warehouse over the public network, add the source public IP address or CIDR block to the allowlist. You can add, disable, or remove allowlist entries at any time.
The default allowlist entry is 0.0.0.0/0, which opens the warehouse to the entire public internet. Remove it as soon as you have added your real source IPs to reduce security risks.
After the source IP is allowlisted, users can connect through WebUI Login, MySQL, JDBC, or HTTP using the examples shown on the Connection page.
PrivateLink
PrivateLink lets applications inside your own VPC access VeloDB Cloud across VPC boundaries over a private network. It simplifies network architecture and avoids exposing warehouse access to the public internet.
A PrivateLink connection has two ends: an Endpoint Service and an Endpoint.
| Direction | VeloDB Cloud owns | Customer owns | Use case |
|---|---|---|---|
| Access VeloDB from your VPC | Endpoint Service. | Endpoint in your VPC. | BI tools, applications, reporting jobs, and log analytics jobs that connect to the warehouse. |
| VeloDB accesses your VPC | Endpoint created by VeloDB Cloud. | Endpoint Service in your VPC. | VeloDB reads from resources inside your VPC, for example a data source for import. |
PrivateLink setup is region-scoped. The cloud-provider region must match the VeloDB warehouse region. Security groups, subnets, and endpoint DNS names are configured in the cloud-provider console as described in Connection.
BYOC Network Placement
In BYOC deployments, data storage and compute resources are retained in your own VPC. The BYOC creation pages document provider-specific setup for AWS, Google Cloud, and Azure, including VPC or subnet preparation and cloud-resource orchestration.
For BYOC security operations, see BYOC Security. For provider-specific setup, see Create BYOC Warehouse.
Security Features Source
Security Features summarizes the VeloDB Cloud network security model:
- External network access must go through the gateway.
- Operations and maintenance access must go through VPN.
- Organizations are isolated from each other.
- Public network access is restricted by IP allowlist.
- Private network connection limits access sources through cloud-provider private networking.