Securing Your Time-Series Data With VPC Peering for Timescale

Note: This blog post was originally published in May 2021 and updated in December 2021.

We are happy to announce that Timescale users can now enable VPC peering in the three major AWS regions: us-east-1, us-west-2, and eu-west-1 🎉

Virtual Private Cloud (or VPC) peering enables you to securely access data stored in Timescale from your existing cloud infrastructure without ever exposing your services to the public internet, ensuring maximum safety and privacy.

More specifically, this feature enables you to create a private network “peering” connection between your Amazon VPC(s) and your Timescale VPC(s), making it possible for the machines in the two VPCs to speak to each other directly without going through the wider Internet. The services within your Timescale VPC will only be accessible from your Amazon VPC; by isolating services in such a manner, you gain greater security and control over your database.

VPC peering is very easy to set up in Timescale, but it can also be used for more advanced deployments. For example, you can create multiple Virtual Private Clouds per service, meaning that you could have a separate VPC for different applications, or for your dev, staging, and production environments - each with its own set of security and access control preferences.

To learn more about how VPC peering works on Timescale, keep reading - or visit our docs if you want to get started right away.

If you’re new to Timescale, create an account (100% free for 30 days, no credit card required). Once you start using Timescale, join our community to ask us any questions about VPC peering, TimescaleDB, PostgreSQL, time-series data, and more!

Shout out to all the engineers and designers who worked on this feature: Anthony Dodd, Nick Calibey, James Hong, Camila Hirthe Memelsdorff, and the entire team of reviewers and testers.

How VPC peering works

Architecture diagram showing the peering connection between the Amazon and Timescale VPCs, which now can communicate through private IP addresses.

Virtual Private Clouds (VPCs) are an abstraction that allows all your resources to communicate with each other as if they were located in a single data center and single private network. This is extremely useful, as they provide you with greater security and access control over the infrastructure running on your network.

VPC peering creates a private network "peering" connection between your Amazon VPC (and its associated AWS resources) and a Timescale VPC (and its associated TimescaleDB services).

This makes it possible for machines in the different VPCs to talk to each other directly without going through the public Internet; in fact, they both communicate using private IP addresses, which are not routable on the public Internet. By doing so, resources in these separate VPCs can behave as if they were part of the same data center, enabling developers to enforce more stringent security and access control rules.

Using VPC peering on Timescale is a four-step process:

  1. First, you create a new VPC in Timescale to attach database services to.
  2. Next, you configure your VPC so it “peers” with your existing Amazon VPC.
  3. You can then move existing databases into this new VPC. New databases can be also created within the VPC from the start, so they are never exposed to the public Internet. To do this is as simple as selecting the VPC you want your database to live in when creating your Timescale service.
  4. You can connect to any Timescale service from your own AWS infrastructure simply by using your service hostname.
The VPC tab in Timescale shows a list of your project VPCs, their peering status, and the number of services attached to each VPC.

VPC peering on Timescale is easy to get started with but it is also designed to support more complex deployments, such as users creating separate VPC(s) for their dev, staging, and production environments. For example, when a service “graduates” from staging to production, you could re-assign that service to your production VPC with a single click, while keeping the service secured and never exposed to the public Internet. You can also move a service from within a VPC to the public Internet if needed (although still only accessible via SSL), and vice versa.

In Timescale, you can migrate between VPCs in one click.

Securing your data

VPC peering adds another important layer of security to Timescale. Our goal is always to deliver a worry-free experience for all developers, and we take the safety and security of your data as of utmost importance.

Here are just a few of the other ways in which Timescale takes your security seriously:

  • High availability via instantaneous recovery for all services
  • Point-in-time recovery via automated, continuous incremental backups
  • Data encrypted at rest and in transit and only accessible via SSL
  • Flexible role-based access controls within your database service

How to get started

Check out the Timescale documentation for instructions on how to enable VPC peering in Timescale, including:

  • Creating a new VPC in Timescale
  • Creating a peering connection
  • Completing the VPC connection in AWS
  • Setting up security groups in AWS
  • Creating a Timescale service with VPC attachment
  • Migrating services between public and private networks and between VPCs

If you’re new to Timescale, create a free account to get started with a fully-managed Timescale instance (100% free for 30 days, no credit card required).

Once you are using TimescaleDB,  join the TimescaleDB community and ask us any questions you may have about time-series data, databases, and more.

And, for those who share our mission of serving developers worldwide and want to join our global, fully-remote team: we are hiring broadly across many roles.

To the stars! 🐯 🚀