Encryption in Transit
VeloDB Cloud protects data in transit at two layers: the cloud infrastructure encrypts traffic between instances, and individual protocols add their own encryption on top. Which layer applies depends on the network path and the protocol.
Infrastructure-Layer Encryption
On AWS, the Nitro System encrypts traffic between instances automatically, with no configuration. This covers:
- Internal traffic between the compute instances that run a warehouse.
- Client and application traffic that reaches the warehouse over PrivateLink, and private-network traffic within a BYOC deployment.
When you connect over a private path on AWS, your traffic is encrypted in transit at the infrastructure layer regardless of protocol, including protocols that do not yet provide their own TLS. Public-network (public access) connections do not go through this layer.
Protocol-Layer Encryption
Protocol-level encryption depends on the channel. Object storage load and export use HTTPS by default. Lakehouse access to external sources, Kafka ingestion, and CDC from PostgreSQL and MySQL support SSL when you enable it. SSL for the MySQL protocol, JDBC, and Stream Load is coming soon.
| Channel | Purpose | Protocol-level encryption |
|---|---|---|
| MySQL protocol | How users and applications connect to and query the warehouse. | TLS, coming soon. |
| JDBC | How users and applications connect to the warehouse over JDBC. | SSL, coming soon. |
| Lakehouse sources | Federated access to external sources such as JDBC-compatible databases and Iceberg. | SSL, depending on the data source. |
| Load from object storage | Ingestion from object stores such as Amazon S3, Azure Blob Storage, and Google Cloud Storage. | HTTPS, by default. |
| Load from Kafka | Streaming ingestion via Routine Load. | SSL, when you enable it. |
| Load via CDC | VeloDB consumes change data from PostgreSQL and MySQL source databases via continuous load. | SSL, when you enable it. |
| Stream Load | HTTP-based ingestion. | SSL, coming soon. |
| Export to object storage | Export to object stores such as Amazon S3, Azure Blob Storage, and Google Cloud Storage. | HTTPS, by default. |
The MySQL protocol, JDBC, and Stream Load do not yet provide protocol-level encryption (coming soon). Until then, prefer a private path: over PrivateLink or within BYOC on AWS, connections to the warehouse are encrypted by the Nitro System, and on the public network you should restrict access with an IP allowlist. See Network Security.
Connection Paths
Transport encryption should be considered together with the network path used to reach the warehouse:
| Connection path | Security documentation |
|---|---|
| Public Link | Connection, Network Security |
| PrivateLink | Connection, Network Security |
| BYOC | BYOC Security, Create BYOC Warehouse |