hey team - one issue we have is that we are using ...
# prisma-data-platforma
Adam Kaczmarek
01/25/2022, 6:56 PMhey team - one issue we have is that we are using google sql for postgres and there is no easy way to lock down access via IP address etc when using vercel. Right now we have access set to be wide open (but with a strong password). I was wondering if maybe this was something you were looking into improving
👍 1
i
Ignacio Ampuero
01/26/2022, 1:30 AMI literally just yesterday submitted a feature request to Vercel about this, but I don't completely follow your question.
If Vercel can't pin the outgoing IP address of functions, how could Prisma Data Platform (PDP) help? From my understanding, PDP would be a managed storage solution, so it would allowlist incoming IP addresses, which again can't be done since Vercel doesn't have static IP addresses? What am I missing or misunderstanding?
a
Adam Kaczmarek
01/26/2022, 1:52 AMi assumed that maybe vercel had some relationship with vercel where this could be managed between them, but maybe not!
a
Alberto Perdomo
01/26/2022, 10:14 AM
We are about to ship a static IP feature for the platform, which lets users allow traffic from a set of public static IPs, which the PDP will use for egress, meaning you could block all traffic from other IPs to your database.
Please note that the Data Proxy will still accept incoming traffic from 0.0.0.0. This works nicely with Vercel, makes it possible to lock down the database and shifts the exposure over to the data proxy.
Would this be an improvement @Adam Kaczmarek?
a
Adam Kaczmarek
01/26/2022, 2:44 PMi think it would be about the same unless you're doing something special to filter incoming traffic that google is not doing, but glad you've thought of it
a
Alberto Perdomo
01/27/2022, 11:06 AM
So your question is about restricting access to the app to a range of known IPs and not to the database, necessarily?
a
Adam Kaczmarek
02/01/2022, 3:45 PMI'd like to restrict access to the database so that only vercel was allowed to connect. right now we use a password, which is a good first step. If there was an additional layer of security, that would be awesome.
👍 1
a
Alberto Perdomo
02/01/2022, 3:57 PM
So with this initial release of static IPs:
• you’d be able to lock down the database to be only accessed from the data proxy and other systems if required
• the data proxy itself is still going to take connections from any public internet address
Would this meet your expectations / needs?
a
Adam Kaczmarek
02/01/2022, 3:57 PMyah, i guess the real problem is with vercel
Adam Kaczmarek
02/01/2022, 3:57 PMthey wont commit to using specific addresses
a
Alberto Perdomo
02/01/2022, 6:48 PM
That was my thought too.
2 Views