Private Networking availability
Private Networking is available on Neon's Scale plan. If you're on a different plan, you can request a trial from the Network Security page in your project's settings.
The Neon Private Networking feature enables secure connections to your Neon databases via AWS PrivateLink, bypassing the open internet for enhanced security.
Overview
In a standard setup, the client application connects to a Neon database over the open internet via the Neon proxy.
With Neon Private Networking, you can connect to your database via AWS PrivateLink instead of the open internet. In this setup, the client application connects through an AWS endpoint service (provided by Neon) to a Neon proxy instance that is not accessible from the public internet. This endpoint service is available only within the same AWS region as your client application. With Neon Private Networking, all traffic between the client application and the Neon database stays within AWS's private network, rather than crossing the public internet.

Prerequisites
- You must be a Neon Business and Scale account user, and your user account must be Neon organization Admin account. You'll encounter an access error if you attempt the setup from a personal Neon account or on a Neon plan that does not offer Private Networking.
- Ensure that your client application is deployed on AWS in the same region as the Neon database you plan to connect to. The Private Networking feature is available in all Neon-supported AWS regions. Both your private access client application and Neon database must be in one of these regions.
- Neon Private Networking supports both IPv4 and IPv6.
- Install the Neon CLI. You will use it to add your VPC endpoint ID to your Neon organization. For installation instructions, see Neon CLI — Install and connect.
Configuration steps
To configure Neon Private Networking, perform the following steps:
- Create an AWS VPC endpoint- important- 
Go to the AWS VPC > Endpoints dashboard and select Create endpoint. Make sure you create the endpoint in the same VPC as your client application.  
- 
Optionally, enter a Name tag for the endpoint (e.g., My Neon Private Networking).
- 
For Type, select the Endpoint services that use NLBs and GWLBs category.  
- 
Under Service settings, specify the Service name. Some regions require specifying two service names, and service names vary by region: - us-east-1: Create two entries, one for each of the following:
- com.amazonaws.vpce.us-east-1.vpce-svc-0de57c578b0e614a9
- com.amazonaws.vpce.us-east-1.vpce-svc-02a0abd91f32f1ed7
- com.amazonaws.vpce.us-east-1.vpce-svc-0f37140e9710ee3af
 
- us-east-2: Create two entries, one for each of the following:
- com.amazonaws.vpce.us-east-2.vpce-svc-010736480bcef5824
- com.amazonaws.vpce.us-east-2.vpce-svc-0465c21ce8ba95fb2
 
- eu-central-1:
- com.amazonaws.vpce.eu-central-1.vpce-svc-05554c35009a5eccb
- com.amazonaws.vpce.eu-central-1.vpce-svc-05a252e6836f01cfd
 
- aws-eu-west-2:
- com.amazonaws.vpce.eu-west-2.vpce-svc-0c6fedbe99fced2cd
 
- us-west-2: Create two entries, one for each of the following:
- com.amazonaws.vpce.us-west-2.vpce-svc-060e0d5f582365b8e
- com.amazonaws.vpce.us-west-2.vpce-svc-07b750990c172f22f
 
- ap-southeast-1:
- com.amazonaws.vpce.ap-southeast-1.vpce-svc-07c68d307f9f05687
 
- ap-southeast-2:
- com.amazonaws.vpce.ap-southeast-2.vpce-svc-031161490f5647f32
 
- aws-sa-east-1:
- com.amazonaws.vpce.sa-east-1.vpce-svc-061204a851dbd1a47
 
 
- us-east-1: Create two entries, one for each of the following:
- 
Click Verify service. If successful, you should see a Service name verifiedmessage. If not successful, ensure that your service name matches the region where you're creating the VPC endpoint. 
- 
Select the VPC where your application is deployed. 
- 
Add the availability zones and associated subnets you want to support. 
- 
Click Create endpoint to complete the setup of the endpoint service.  
- 
Note your VPC Endpoint ID. You will need it in the next step.  
 
- 
- Add your VPC Endpoint ID to your Neon organization- Assign your VPC Endpoint ID to your Neon organization. If the region has multiple Service Names, please assign all VPC Endpoint IDs. You can do this using the Neon CLI or API. - note- Please note that you must assign the VPC Endpoint ID, not the VPC ID. - In the following example, the VCP endpoint ID is assigned to a Neon organization in the specified AWS region using the neon vpc endpoint command. - neon vpc endpoint assign vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 --region-id aws-us-east-2- You can find your Neon organization ID in your Neon organization settings, or you can run this Neon CLI command: - neon orgs list- Optionally, you can limit access to a Neon project by allowing connections only from a specific VPC endpoint. For instructions, see Assigning a VPC endpoint restrictions. 
- Check your database connection string- Your Neon database connection string does not change when using Private Networking. - To verify that your connection is working correctly, you can perform a DNS lookup on your Neon endpoint hostname from within your AWS VPC. It should resolve to the private IP address of the VPC endpoint. - For example, if your Neon database connection string is: - postgresql://alex:AbC123dEf@ep-cool-darkness-123456.us-east-2.aws.neon.tech/dbname?sslmode=require&channel_binding=require- You can run the following command from an EC2 instance inside your AWS VPC: - nslookup ep-cool-darkness-123456.us-east-2.aws.neon.tech
- Restrict public internet access- At this point, it's still possible to connect to a database in your Neon project over the public internet using a database connection string. - You can restrict public internet access to your Neon project via the Neon CLI or API. - To block access via the Neon CLI, use the neon projects update command with the - --block-public-connectionsoption.- neon projects update orange-credit-12345678 --block-public-connections true- In the example above, - orange-credit-12345678is the Neon project ID. You can find your Neon project ID under your project's settings in the Neon Console, or by running this Neon CLI command:- neon projects list
Assigning a VPC endpoint restriction
You can limit access to a Neon project by allowing connections only from specified VPC endpoints. Use the Neon CLI or API to set a restriction.
You can specify a CLI command similar to the following to restrict project access:
neon vpc project restrict vpce-1234567890abcdef0 --project-id orange-credit-12345678You will need to provide the VPC endpoint ID and your Neon project ID. If the region has multiple Service Names, all VPC Endpoint IDs must be restricted in the way as above. You can find your Neon project ID under your project's settings in the Neon Console, or by running this Neon CLI command: neon projects list
After adding a restriction, you can check the status of the VPC endpoint to view the restricted project using the vpc endpoint status command. You will need to provide your VPC endpoint ID, region ID, and Neon organization ID.
neon vpc endpoint status vpce-1234567890abcdef0 --region-id=aws-eu-central-1 --org-id=org-nameless-block-72040075
┌────────────────────────┬───────┬─────────────────────────┬─────────────────────────────┐
│ Vpc Endpoint Id        │ State │ Num Restricted Projects │ Example Restricted Projects │
├────────────────────────┼───────┼─────────────────────────┼─────────────────────────────┤
│ vpce-1234567890abcdef0 │ new   │ 1                       │ orange-credit-12345678      │
└────────────────────────┴───────┴─────────────────────────┴─────────────────────────────┘Managing Private Networking using the Neon CLI
You can use the Neon CLI vpc command to manage Private Networking configurations in Neon.
The vpc command includes endpoint and project subcommands for managing VPC endpoints and project-level VPC endpoint restrictions:
- vpc endpoint– List, assign, remove, and retrieve the status of VPC endpoints for a Neon organization.
- vpc project– List, configure, or remove VPC endpoint restrictions for specific Neon projects.
For more details and examples, see Neon CLI commands — vpc.
Managing Private Networking using the Neon API
The Neon API provides endpoints for managing VPC endpoints and project-level VPC endpoint restrictions:
APIs for managing VPC endpoints
- List VPC endpoints
- Assign or update a VPC endpoint
- Retrieve VPC endpoint configuration details
- Delete a VPC endpoint
APIs for managing VPC endpoint restrictions
- Get VPC endpoint restrictions
- Assign or update a VPC endpoint restriction
- Delete a VPC endpoint restriction
Private Networking limits
The Private Networking feature supports a maximum of 10 private networking configurations per AWS region. Supported AWS regions are listed above.
Limitations
If you remove a VPC endpoint from a Neon organization, that VPC endpoint cannot be added back to the same Neon organization. Attempting to do so will result in an error. In this case, you must set up a new VPC endpoint.
Need help?
Join our Discord Server to ask questions or see what others are doing with Neon. For paid plan support options, see Support.
