IP Allowlist
Every Nearbase instance has an IP allowlist that controls which IP addresses are permitted to connect. By default, all IPs are allowed (0.0.0.0/0). For production databases, restrict this to only the IPs your application servers use.
Viewing and Editing the Allowlist
- Open the instance in the console.
- Go to the Security tab.
- You’ll see the current list of allowed IP addresses and CIDR ranges.
- Add or remove entries as needed, then save.
Entries can be individual IPs or CIDR ranges:
| Entry | Description |
|---|
203.0.113.42 | Allow a single IP address |
203.0.113.0/24 | Allow an entire subnet |
0.0.0.0/0 | Allow all IPs (default — not recommended for production) |
Leaving 0.0.0.0/0 in the allowlist means your database port is reachable
from any IP on the internet. It is still protected by password authentication
and SSL, but removing broad allowlist entries adds an extra layer of defense.
Recommended Setup
For most deployments, allowlist only your application servers’ outbound IPs:
- Single server: add its static IP.
- Cloud provider (e.g., AWS, GCP): add your NAT gateway or egress IP range.
- Local development: add your workstation’s IP temporarily. Remove it when done.
If your application runs on a service that does not have a static IP, consider
routing database traffic through a NAT gateway or VPN with a fixed egress IP.
SSL / TLS
All Nearbase databases enforce TLS encryption in transit. Connections without SSL are rejected at the server level — there is no way to disable this.
Encryption at Rest
Data stored on disk is encrypted at rest using AES-256 encryption managed by the underlying cloud infrastructure.
Certificate Verification
When connecting with sslmode=require, the driver encrypts the connection but does not verify the server certificate. For stricter verification use sslmode=verify-full with a trusted CA bundle, or rely on sslmode=require which is sufficient for most applications.
# Require SSL (recommended default)
psql "host={instance-id}.pg.nearbase.app port=5432 dbname=postgres user=admin password={password} sslmode=require"
Password Management
Your instance’s admin password is set during provisioning and displayed once in the console. Store it securely in your application’s secret management system (e.g., environment variables, a secrets manager like AWS Secrets Manager or HashiCorp Vault).
If you need to reset your password, contact team@m.nearbase.dev.