Secure your Timescale Service with VPC Peering and AWS PrivateLink

You use Virtual Private Cloud (VPC) peering to ensure that your Timescale Services are only accessible through your secured AWS infrastructure. This reduces the potential attack vector surface and improves security.

The data isolation architecture that ensures a highly secure connection between your apps and Timescale:

Expand image

Your apps run inside your AWS Customer VPC, your Timescale Services always run inside the secure Timescale VPC. You control secure communication between apps in your VPC and your Timescale Services using a dedicated Peering VPC. The AWS PrivateLink connecting Timescale VPC to the dedicated Peering VPC gives the same level of protection as using a direct AWS PrivateLink connection. It only enables communication between your Customer VPC and your Timescale Services.

To configure this secure connection, you first create the Peering VPC with AWS PrivateLink in Timescale. After you have accepted and configured the peering connection to your Customer VPC, you use AWS Security Groups to restrict the services in your Customer VPC that are visible to the Peering VPC. The last step is to attach individual Timescale Services to the Peering VPC.

You can run three VPCs in each project, and each Timescale VPC can have as many peering connections as you need. If you need more VPCs click Support in Timescale Console and ask for a quota increase.

In order to set up VPC peering you need the following permissions in your AWS account:

• Accept VPC peering requests
• Configure route table rules
• Configure security group and firewall rules

To connect to a Timescale Service using VPC peering, your apps and infrastructure must be already running in an Amazon Web Services (AWS) VPC. You can peer your VPC from any AWS region. However, your Timescale VPC must be within one of the Cloud-supported regions.

The stages to create a secured connection between Timescale Services and your AWS infrastructure are:

1. Create a Peering VPC in Timescale
2. Complete the VPC connection in your AWS
3. Set up security groups in your AWS
4. Attach a Timescale Service to the Peering VPC

Create the VPC and the peering connection that enables you to securely route traffic between Timescale and your own VPC in a logically isolated virtual network.

When you receive the Timescale peering request in AWS, edit your routing table to match the IP Range and CIDR block between your AWS and Timescale VPCs.

The request acceptance process is an important safety mechanism. Do not accept a peering request from an unknown account.

Security groups allow specific inbound and outbound traffic at the resource level. You can associate a VPC with one or more security groups and each instance in your VPC may belong to a different set of security groups. The security group choices for your VPC are:

• Create a security group to use for your Timescale VPC only.
• Associate your VPC with an existing security group.
• Do nothing, your VPC is automatically associated with the default one.

Now that Timescale is communicating securely with your AWS infrastructure, you can attach one or more Timescale Services to the VPC.

After you attach a Timescale Service to a VPC, you can only access it through the peered AWS VPC. It is no longer accessible using the public internet.

And that is it, your Timescale Service is now securely communicating with your AWS account inside a VPC.

To ensure that your applications continue to run without interruption, you keep Timescale Services attached to the VPC. However, you can change the VPC your Timescale Service is attached to, or disconnect from a VPC and enable access to the Timescale Service from the public internet.

Migration takes a few minutes to complete and requires a change to DNS settings for the Service. The Service is not accessible during this time. If you receive a DNS error, allow some time for DNS propagation.