Use Timescale

Secure your Timescale Cloud services with VPC Peering and AWS PrivateLink

You use Virtual Private Cloud (VPC) peering to ensure that your Timescale Cloud services are only accessible through your secured AWS infrastructure. This reduces the potential attack vector surface and improves security.

The data isolation architecture that ensures a highly secure connection between your apps and Timescale Cloud:

The AWS Security Groups dashboard

Your apps run inside your AWS Customer VPC, your services always run inside the secure Timescale Cloud VPC. You control secure communication between apps in your VPC and your services using a dedicated Peering VPC. The AWS PrivateLink connecting Timescale Cloud VPC to the dedicated Peering VPC gives the same level of protection as using a direct AWS PrivateLink connection. It only enables communication to be initiated from your Customer VPC to services running in the Timescale Cloud VPC. Timescale Cloud cannot initiate communication with your VPC.

To configure this secure connection, you first create the Peering VPC with AWS PrivateLink in Timescale Console. After you have accepted and configured the peering connection to your Customer VPC, you use AWS Security Groups to restrict the services in your Customer VPC that are visible to the Peering VPC. The last step is to attach individual services to the Peering VPC.

The number of VPCs you can attach to your project depends on your pricing plan. If you need more VPCs either contact contact support@timescale.com or change your pricing plan in Timescale Console. Each Timescale Cloud VPC can have as many peering connections as you need.

Prerequisites

In order to set up VPC peering you need the following permissions in your AWS account:

  • Accept VPC peering requests
  • Configure route table rules
  • Configure security group and firewall rules

Set up a secured connection between Timescale Cloud and AWS

To connect to a Timescale Cloud service using VPC peering, your apps and infrastructure must be already running in an Amazon Web Services (AWS) VPC. You can peer your VPC from any AWS region. However, your Timescale Cloud VPC must be within one of the Cloud-supported regions.

The stages to create a secured connection between Timescale Cloud services and your AWS infrastructure are:

  1. Create a Peering VPC in Timescale Console
  2. Complete the VPC connection in your AWS
  3. Set up security groups in your AWS
  4. Attach a Timescale Service to the Peering VPC

Create a Peering VPC in Timescale Console

Create the VPC and the peering connection that enables you to securely route traffic between Timescale Cloud and your own VPC in a logically isolated virtual network.

  1. In Timescale Console > VPC, click New VPC.

    The number of VPCs you can attach to your project depends on your pricing plan. If you need more VPCs either contact contact support@timescale.com or change your pricing plan in Timescale Console. Each Timescale Cloud VPC can have as many peering connections as you need.

  2. Choose your region and IP range, then click Create VPC.

    Create a new VPC in Timescale Cloud

  3. For as many peering connections as you need:

    1. In the VPC Peering column, click Add.

    2. Enter information about your existing AWS VPC, then click Add Connection.

      Create a new Timescale Cloud VPC

Timescale Cloud sends a peering request to your AWS account so you can complete the VPC connection in AWS.

Complete the VPC connection in AWS

When you receive the Timescale Cloud peering request in AWS, edit your routing table to match the IP Range and CIDR block between your AWS and Timescale Cloud VPCs.

When you peer a VPC with multiple CIDRs, all CIDRs are added to the Timescale Cloud rules automatically. After you have finished peering, further changes in your VPC's CIDRs are not detected automatically. If you need to refresh the CIDRs, please recreate the peering connection.

The request acceptance process is an important safety mechanism. Do not accept a peering request from an unknown account.

  1. In AWS > VPC Dashboard > Peering connections, select the peering connection request from Timescale Cloud.

    Copy the peering connection ID to the clipboard. The connection request starts with pcx-.

  2. In the peering connection, click Route Tables, then select the Route Table ID that corresponds to your VPC.

  3. In Routes, click Edit routes. You see the list of existing Destinations.

    Create a new VPC route
    .

    If you do not already have a destination that corresponds to the IP range / CIDR block of your Timescale VPC:

    1. Click Add route, and set:
      • Destination: the CIDR block of your Timescale VPC. For example: 10.0.0.7/17.
      • Target: the peering connection ID you copied to your clipboard.
    2. Click Save changes.

Network traffic is secured between your AWS account and Timescale Cloud for this project.

Set up security groups in AWS

Security groups allow specific inbound and outbound traffic at the resource level. You can associate a VPC with one or more security groups and each instance in your VPC may belong to a different set of security groups. The security group choices for your VPC are:

  • Create a security group to use for your Timescale Cloud VPC only.
  • Associate your VPC with an existing security group.
  • Do nothing, your VPC is automatically associated with the default one.

To create a security group specific to your Timescale Cloud VPC:

  1. AWS > VPC Dashboard > Security Groups, click Create security group.

  2. Enter the rules for this security group:

    The AWS Security Groups dashboard
    • VPC: select the VPC that is peered with Timescale.
    • Inbound rules: leave empty.
    • Outbound rules:
      • Type: Custom TCP
      • Protocol: TCP
      • Port range: 5432
      • Destination: Custom
      • Info: the CIDR block of your Timescale Cloud VPC.

  3. Click Add rule, then click Create security group.

Attach a Timescale Cloud service to the Peering VPC

Now that Timescale Cloud is communicating securely with your AWS infrastructure, you can attach one or more services to the VPC.

After you attach a service to a VPC, you can only access it through the peered AWS VPC. It is no longer accessible using the public internet.

  1. In Timescale Console > Services select the service you want to connect to the VPC.
  2. Click Operations > VPC.
  3. Select the VPC, then click Attach VPC.

And that is it, your service is now securely communicating with your AWS account inside a VPC.

Migrate a Timescale Cloud service between VPCs

To ensure that your applications continue to run without interruption, you keep service attached to the VPC. However, you can change the VPC your service is attached to, or disconnect from a VPC and enable access to the service from the public internet.

Info

Timescale Cloud uses a different DNS for services that are attached to a VPC. When you migrate a service between public access and a VPC, you need to update your connection string.

  1. In Timescale Console > Services select the service to migrate.

    If you don't have a service, create a new one.

  2. Click Operations > VPC.

  3. Select the VPC, then click Attach VPC.

Migration takes a few minutes to complete and requires a change to DNS settings for the Service. The service is not accessible during this time. If you receive a DNS error, allow some time for DNS propagation.

Keywords

PrivateLinkAWSvpcservicesoperations

Found an issue on this page?Report an issue or Edit this page in GitHub.

PreviousTroubleshootingNextHyperfunctions

Related Content

Service management
Manage your service from the Operations dashboard
About Timescale Cloud services
Learn more about Timescale Cloud services
PostgreSQL extensions
Use PostgreSQL extensions with your Timescale service
About security in Timescale Cloud
Get an overview of security on Timescale
postgis PostgreSQL extension
Use the postgis extension with your Timescale service
pgcrypto PostgreSQL extension
Use the pgcrypto extension with your Timescale service