Blossom Logo Blossom

Database Security

Categories: databases security networking configuration
3 min read

Network Security Best Practices

When running databases and cache services, proper network configuration is crucial for security. Blossom provides both public and private networking options, but we strongly recommend using private networking whenever possible.

Using Private Endpoints

We recommend creating clusters with Blossom Managed Networks (recommended option during cluster creation). This enables:

  • Private IP assignment for your servers
  • Internal network communication between services
  • Enhanced security through network isolation

Database Connections

For relational databases like PostgreSQL, MySQL, and MariaDB:

  • Preferred: Use private endpoints for DATABASE_URL to ensure connections stay within your private network
  • Fallback: Public endpoints are available but should only be used when private networking isn’t possible
  • Security: Private networking reduces exposure to potential attacks and unauthorized access

Example environment variable configuration:

DATABASE_URL=postgres://user:pass@private-ip:5432/dbname

Cache Services

Redis

Redis MUST USE private networking:

  • Even with password protection, public Redis endpoints will trigger security warnings:
    • “Possible SECURITY ATTACK detected…”
    • These warnings indicate your Redis instance is potentially vulnerable
  • Configure using private endpoints: 
    REDIS_URL=redis://user:pass@private-ip:6379

Memcached

Memcached is CRITICAL - Must ONLY be accessed via private network:

  • No built-in authentication mechanism
  • Extremely vulnerable if exposed to public internet
  • Always use private networking: 
    MEMCACHED_URL=memcached://private-ip:11211

Network Configuration

Using Blueprints (Easiest)

The easiest way to get secure networking is to use Blueprints when creating your infrastructure:

  1. Create a new cluster using a Blueprint
  2. Blossom automatically provisions a VPC with private networking configured
  3. All servers receive both public and private IPs
  4. Services can communicate securely using private IPs

Blueprints handle all the VPC setup, subnets, and network configuration for you - no manual network setup required.

Blossom Managed Networks (Manual Setup)

If creating infrastructure manually without Blueprints:

  1. Choose “Create New VPC (Blossom managed)” during cluster creation
  2. Blossom automatically configures private networking
  3. Services receive both public and private IPs
  4. Use private IPs for inter-service communication

Existing Networks

If using existing networks, ensure:

  1. Private subnet configuration is properly set up
  2. Security groups or firewall rules allow internal communication
  3. Services can reach each other via private IPs

Security Checklist

✅ Use Blossom Managed Networks when creating new clusters

✅ Configure services to use private endpoints

✅ Never expose Memcached to public internet

✅ Use private Redis endpoints to avoid security warnings

✅ Review service connection strings to ensure private endpoints are used

Redis Build Customizations
Blossom Docs