Skip to main content
VeloDB Cloud 26.x·Apache Doris 4.x (≤ 4.0 supported)·"Since X.Y" tags refer to Doris versionsversion mapping →

Security Features

VeloDB Cloud provides a complete security mechanism to ensure the security of customer data and services, such as isolation, authentication, authorization, encryption, and auditing.

Security capabilities

VeloDB Cloud provides end-to-end data security across the following dimensions:

  • Resource isolation: Storage and computing between organizations are isolated from each other.
  • Identity authentication: Prove the identity of the visitor (user or application).
  • Access control: Set user access rights to data to ensure that users can control data permissions in a fine-grained manner.
  • Data protection: Storage and transmission encryption ensure that data is not leaked through physical disks or network monitoring.
  • Network security: Public network allowlist, private network links, inter-organization security groups, and optional independent VPC ensure the security of network connections.
  • Security audit: Transparent and complete audit of operations in the console and warehouse.
  • Application security: VeloDB Cloud defends against attacks.

Resource isolation

SaaS deployment

VeloDB Cloud ensures complete isolation of data between different organizations through storage and computing isolation:

Data storage

  1. Each organization uses a separate object storage bucket in each region, and the bucket is set to private access and uses STS authentication.
  2. Each warehouse is assigned its own cloud IAM role, and storage access to the warehouse's data is granted only to that role.
  3. Cache data is only stored locally in the cluster, and different warehouses cannot access each other. Computing resources
  4. Clusters will not be used across warehouses, that is, a cluster will only belong to one warehouse.
  5. Each organization's cluster sets strict firewall rules through security groups to ensure that clusters between different organizations cannot connect to each other.

BYOC deployment

In a VeloDB Cloud BYOC deployment, warehouse compute and customer warehouse storage are deployed in your cloud environment. That placement protects the customer-controlled data plane, but should not be read as a blanket statement for control-plane metadata, operational telemetry, logs, support records, diagnostics, query-related records, access evidence, or other operational records.

Data storage Customer warehouse storage is deployed in your cloud environment and governed by the BYOC deployment model and applicable customer or cloud-provider configuration. Computing resources

  1. Warehouse compute resources are deployed in your own cloud resource pool, providing data warehouse services.
  2. A warehouse can contain multiple clusters, which share underlying data. Different clusters can meet different workloads, such as statistical reports, interactive analysis, etc., and the workloads between multiple clusters do not interfere with each other.

Identity Authentication

Any access to the VeloDB Cloud control plane or data plane requires identity authentication. The control plane supports multi-factor authentication (MFA); the data plane authenticates with the MySQL protocol (including HTTP access), supports IP allowlist and blocklist mechanisms, and enforces password policies against weak or brute-forced passwords.

For details, see Identity and Access.

Access Control

VeloDB Cloud separates console access (organization roles), management API access (API keys), and warehouse access (database users). Inside a warehouse, access follows the MySQL-style permission model with role-based access control (RBAC), object-level privileges, and fine-grained row-level, column-level, and masking controls. For the access model and role details, see Identity and Access. For row policy, view, and masking syntax, see Data Access Control.

Data Protection

Storage Encryption

Stored data is protected in two layers: the storage layer (cloud object storage and cache disks encrypted by the cloud platform with cloud-managed keys) and an optional warehouse layer (Transparent Data Encryption, which you can back with a customer-managed KMS key). For details, see Encryption at Rest.

Transmission Encryption

On AWS, the Nitro System encrypts traffic between instances by default, covering internal cluster traffic and inbound client traffic over PrivateLink or BYOC private networking (not public access). At the protocol level, object storage load and export (Amazon S3, Azure Blob Storage, and Google Cloud Storage) use HTTPS by default, and lakehouse access, Kafka, and CDC from PostgreSQL and MySQL support SSL when enabled; SSL for the MySQL protocol, JDBC, and Stream Load is coming soon. For details, see Encryption in Transit.

High availability, backup, and disaster recovery are covered separately under Reliability.

Network security

Under the principle of least privilege, VeloDB restricts VPC network rules: external access goes through the gateway, operations access goes through VPN, and organizations are isolated from each other. Warehouses can be reached over the public network (restricted by IP allowlist) or over a private network connection scoped to a single VPC.

For access methods, IP allowlists, PrivateLink, and BYOC network placement, see Network Security.

Security Audit

Console control operations and warehouse access operations are both audited, and customers can review audit information from the console. For organization activity logs, SQL audit, and the audit_log table, see Audit Logging.

Application Security

VeloDB uses security products such as a cloud firewall, a Web Application Firewall (WAF), and database audit to secure its cloud applications.