To improve security of the Neon database the connection between proxy and compute should be secure by using TLS. The encryption can protect from eavesdropping for example if some tenant manages breaking out of their VM. Also we can use the endpoint name transmitted with the TLS connection to always make sure that the endpoint is the correct one: in case of suspends there is a small chance that a connection might use the wrong compute (see https://neondb.slack.com/archives/C03438W3FLZ/p1713887192850299).
DoD
All connections between proxy and compute are secured using TLS.
Implementation ideas
Tasks
- [ ] Create an RFC to discuss possible solutions and discuss with affected teams.
Motivation
To improve security of the Neon database the connection between proxy and compute should be secure by using TLS. The encryption can protect from eavesdropping for example if some tenant manages breaking out of their VM. Also we can use the endpoint name transmitted with the TLS connection to always make sure that the endpoint is the correct one: in case of suspends there is a small chance that a connection might use the wrong compute (see https://neondb.slack.com/archives/C03438W3FLZ/p1713887192850299).
DoD
All connections between proxy and compute are secured using TLS.
Implementation ideas
Tasks