DBs in the Free plan can now autoscale up to 2 CPU. More performance without manual resizes

Protected branches

Learn how to use Neon's protected branches feature to secure your critical data

Neon's protected branches feature implements a series of protections:

  • Protected branches cannot be deleted.
  • Protected branches cannot be reset.
  • Projects with protected branches cannot be deleted.
  • Computes associated with a protected branch cannot be deleted.
  • New passwords are automatically generated for Postgres roles on branches created from protected branches. See below.
  • With additional configuration steps, you can apply IP restrictions to protected branches only. See below.

The protected branches feature is available with the Neon Scale plan.

Set a branch as protected

This example sets a single branch as protected, but you can have up to 5 protected branches.

To set a branch as protected:

  1. In the Neon Console, select a project.

  2. Select Branches to view the branches for the project.

    Branch page

  3. Select a branch from the table. In this example, we'll configure our default branch main as a protected branch.

  4. On the branch page, click the Actions drop-down menu and select Set as protected.

    Set as protected

  5. In the Set as protected confirmation dialog, click Set as protected to confirm your selection.

    Set as protected confirmation

    Your branch is now designated as protected, as indicated by the protected branch shield icon, shown below.

    Branch page badge

    The protected branch designation also appears on your Branches page.

    Branches page badge

New passwords generated for Postgres roles on child branches

When you create a branch in Neon, it includes all Postgres databases and roles from the parent branch. By default, Postgres roles on the child branch will have the same passwords as on the parent branch. However, this does not apply to protected branches. When you create a child branch from a protected branch, new passwords are generated for the Postgres roles on the child branch.

This behavior is designed to prevent the exposure of passwords that could be used to access your protected branch. For example, if you have designated a production branch as protected, the automatic password change for child branches ensures that you can create child branches for development or testing without risking access to data on your production branch.

Feature notes

  • This feature was released on July, 31, 2024. If you have existing CI scripts that create branches from protected branches, please be aware that passwords for Postgres roles on those newly created branches will now differ. If you depend on those passwords being the same, you'll need to make adjustments to get the correct connection details for those branches.
    • After a branch is created, the up-to-date connection string is returned in the output of the Create Branch GitHub Action.
    • After resetting a branch from its parent, you can get the connection details for the branch using the Neon CLI connection-string command.
  • Resetting a child branch from a protected parent branch currently restores Postgres role passwords on the child branch to those used on the protected parent branch. This issue will be addressed in an upcoming release. See reset from parent to understand how Neon's branch reset feature works.

How to apply IP restrictions to protected branches

The protected branches feature works in combination with Neon's IP Allow feature to allow you to apply IP access restrictions to protected branches only. The basic setup steps are:

  1. Define an IP allowlist for your project
  2. Restrict IP access to protected branches only
  3. Set a branch as protected (if you have not done so already)

Define an IP allowlist for your project

To configure an allowlist:

  1. Select a project in the Neon Console.
  2. On the Project Dashboard, select Settings.
  3. Select IP Allow. IP Allow configuration
  4. Specify the IP addresses you want to permit. Separate multiple entries with commas.
  5. Click Save changes.

For details about specifying IP addresses, see How to specify IP addresses.

Restrict IP access to protected branches only

After defining an IP allowlist, the next step is to select the Restrict access to protected branches only option.

IP Allow configuration

This option removes IP restrictions from all branches in your Neon project and applies them to protected branches only.

After you've selected the protected branches option, click Save changes to apply the new configuration.

Remove branch protection

Removing a protected branch designation can be performed by selecting Set as unprotected from the More drop-down menu on the branch page.

Need help?

Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more detail, see Getting Support.

Last updated on

Was this page helpful?