Data in Valkey database clusters is encrypted at rest with LUKS (Linux Unified Key Setup) and in transit with SSL. However, there are additional steps you can take to ensure that your data is safe.
Restrict Incoming Connections
You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect.
Typically, only the application servers are allowed to connect to the database cluster. Users access the public-facing site, and the public-facing server authenticates and manages database connections in turn.
Add a Trusted Source Using the CLI
How to Add a Trusted Source Using the DigitalOcean CLI
- Install
doctl, the official DigitalOcean CLI.
- Create a personal access token and save it for use with
doctl.
- Use the token to grant
doctl access to your DigitalOcean account.
- Finally, run
doctl databases firewalls append. Basic usage looks like this, but you can read the usage docs for more details:
doctl databases firewalls append <database-cluster-id> --rule <type>:<value> [flags]
ca9f591d-f38h-5555-a0ef-1c02d1d1e35 that allows any resources with the example-tag to access the database:
doctl databases firewalls append ca9f591d-f38h-5555-a0ef-1c02d1d1e35 --rule tag:example-tag
Add a Trusted Source Using the API
How to Add or Remove a Trusted Source Using the DigitalOcean API
- Create a personal access token and save it for use with the API.
- Send a PUT request to
https://api.digitalocean.com/v2/databases/{database_cluster_uuid}/firewall.
cURL
Using cURL:
curl -X PUT \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-d '{"rules": [{"type": "ip_addr","value": "192.168.1.1"},{"type": "droplet","value": "163973392"},{"type": "k8s","value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61"},{"type": "tag","value": "backend"}]}' \
"https://api.digitalocean.com/v2/databases/9cc10173-e9ea-4176-9dbc-a4cee4c4ff30/firewall"
Go
Using Godo, the official DigitalOcean API client for Go:
import (
"context"
"os"
"github.com/digitalocean/godo"
)
func main() {
token := os.Getenv("DIGITALOCEAN_TOKEN")
client := godo.NewFromToken(token)
ctx := context.TODO()
req := godo.DatabaseUpdateFirewallRulesRequest{
Rules: []*godo.DatabaseFirewallRule{
{
Type: "ip_addr",
Value: "192.168.1.1",
},
{
Type: "droplet",
Value: "163973392",
},
{
Type: "k8s",
Value: "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61",
},
},
}
_, err := client.Databases.UpdateFirewallRules(ctx, dbID, &req)
}
Python
Using PyDo, the official DigitalOcean API client for Python:
import os
from pydo import Client
client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
req = {
"rules": [
{
"type": "ip_addr",
"value": "192.168.1.1"
},
{
"type": "k8s",
"value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61"
},
{
"type": "droplet",
"value": "163973392"
},
{
"type": "tag",
"value": "backend"
}
]
}
update_resp = client.databases.update_firewall_rules(database_cluster_uuid="a7a8bas", body=req)
Add a Trusted Source using the Control Panel
To restrict access to a database cluster, click the name of the cluster in the control panel to go to its Overview page, then click the Settings tab.
In the section titled Trusted Sources, click Edit to open the Add trusted sources text box.
You can enter Droplets, Kubernetes clusters, tags, apps, or specific IP addresses. Entering a tag provides access to the database for any Droplets or Kubernetes nodes containing that tag. At this time, DigitalOcean Cloud Firewalls are not supported.
You currently cannot add IPv6 rules to a database cluster’s trusted sources.