Security

Managed Postgres is built with enterprise-grade security features to protect your data and meet compliance requirements. This page covers network security, encryption, and backup retention policies.

IP filters control which source IP addresses are permitted to connect to your Managed Postgres instance, providing network-level access control to protect your database from unauthorized connections.

For detailed information on configuring IP filters, see the Settings page.

You can specify:

Individual IP addresses (e.g., 203.0.113.5 )

) CIDR ranges for networks (e.g., 192.168.1.0/24 )

) Anywhere to allow all IP addresses (not recommended for production)

to allow all IP addresses (not recommended for production) Nowhere to block all connections

Production best practices If no IP filters are configured, connections from all IP addresses are permitted. For production workloads, restrict access to known IP addresses or CIDR ranges. Consider limiting access to: Your application servers

VPN gateway IP addresses

Bastion hosts for administrative access

CI/CD pipeline IPs for automated deployments

Managed Postgres encrypts your data both at rest and in transit to ensure comprehensive data protection.

All data stored by Managed Postgres is encrypted at rest to protect against unauthorized access to the underlying storage infrastructure.

Your database files, transaction logs, and temporary files stored on NVMe drives are encrypted using industry-standard encryption algorithms. This encryption is transparent to your applications and requires no configuration.

Backups and Write-Ahead Log (WAL) archives stored in object storage are also encrypted at rest. This includes:

Full daily backups

Incremental WAL archives

Point-in-time recovery data

All backup data is stored in dedicated, isolated storage buckets with credentials scoped to each individual instance, ensuring that backup data remains secure and accessible only to authorized systems.

References Encryption at rest is enabled by default for all Managed Postgres instances and cannot be disabled. No additional configuration is required.

All network connections to Managed Postgres are secured using TLS (Transport Layer Security) to protect data as it moves between your applications and the database.

By default, connections use TLS encryption without certificate verification. For production workloads, we recommend connecting with verified TLS to ensure you're communicating with the correct server.

For more details on TLS configuration and connection options, see the Connection page.

Private Link enables private connectivity between your Managed Postgres instance and your Virtual Private Cloud (VPC) without exposing traffic to the public internet. This provides an additional layer of network isolation and security.

Manual setup required Private Link support is available but requires manual configuration by ClickHouse support. This feature is ideal for enterprise customers with strict network isolation requirements.

To enable Private Link for your Managed Postgres instance:

Contact ClickHouse support by creating a support ticket Provide the following information: Your ClickHouse organization ID

ID/hostname of postgres service

AWS account IDs/ARNs which you'd like to connect the private link with (Optional) Any regions other than the Postgres instance region you'd like to connect from

ClickHouse support will: Provision the Private Link endpoint on the Managed Postgres side

Provide you with endpoint connection details which you can use to create an endpoint interface. Setup your Private Link: Create the Private Link by heading over to endpoint interface in AWS settings and using the configuration provided by the ClickHouse support.

Once your Private Link is in an "Available" state, you can connect to it by using the Private DNS name provided in the AWS UI.

Managed Postgres automatically backs up your data to protect against accidental deletion, corruption, or other data loss scenarios.

Default retention period : 7 days

: 7 days Backup frequency : Daily full backups + continuous WAL archiving (every 60 seconds or 16 MB, whichever comes first)

: Daily full backups + continuous WAL archiving (every 60 seconds or 16 MB, whichever comes first) Recovery granularity: Point-in-time recovery to any moment within the retention window

Backups are stored with the same security guarantees as your primary data:

Encryption at rest in object storage

in object storage Isolated storage buckets per instance with scoped credentials

per instance with scoped credentials Access control limited to the Postgres Instance linked to the backup.

For more details on backup strategies and point-in-time recovery, see the Backup and restore page.