How to Secure Network Access to Your Managed Service for the TimescaleDB Service

Introduction

It's the easiest question to ask, but the hardest to answer about any system: is it secure? Having a secure system doesn't have a binary "yes or no" answer like the question implies. Security is implemented in layers and each choice comes with tradeoffs.

That said, one very common and critical piece of any security story is the network. First, you must protect your system from the outside and work inward. The most basic network protection that can be applied is to limit the set of ports for access, thus reducing the attack surface area.

Exposing a minimal set of ports is a good start, but another layer you can apply is to protect the inbound traffic to a minimal set of source IP ranges. Managed Service for TimescaleDB provides the ability to configure which source IP addresses are allowed to connect your TimescaleDB instance through the connection port.

This tutorial will walk you through how to quickly and easily configure this capability.

Before You Start

You can follow the Getting Started With TimescaleDB tutorial to get signed up and create your first database instance. We’ll start from there.

Step 1 - Navigate to Your TimescaleDB Instance

Once you have a database instance setup in the TimescaleDB portal, browse to this service and click on the “Overview” tab. In the “Connection Information” section, you will see the port number that is used for database connections. This is the port we will protect by managing inbound access.

Step 2 - Find the Allowed IP Addresses Section

Scroll down to find the "Allowed IP Addresses" section. By default, this value is set to 0.0.0.0/0 which is actually wide open.

IMPORTANT: This wide-open setting simplifies getting started since it will accept incoming traffic from all sources, but you will absolutely want to narrow this range.

If you are curious about how to interpret this CIDR syntax, check out this great online tool to help decipher CIDR.

Step 3 - Change the Allowed IP Addresses

Click “Change” and adjust the CIDR value based on where your source traffic will come from. For example, entering a value of 192.168.1.15/32 will ONLY allow incoming traffic from a source IP of 192.168.1.15 and will deny all other traffic.

Step 4 - Save Your Changes

Click "Save Changes" and see this take effect immediately.

Conclusion

Limiting IP address inbound access is just one option to improve the security of your TimescaleDB database instance. There are many other types of security measures you should take into account when securing your data. To learn more about security options within TimescaleDB, visit here.