Blossom Logo Blossom

Service Security

Categories: security services networking configuration
2 min read

Network Security Best Practices

When running services like databases and caches, proper network configuration is crucial for security. Blossom provides both public and private networking options, but we strongly recommend using private networking whenever possible.

Using Private Endpoints

We recommend creating clusters with Blossom Managed Networks (recommended option during cluster creation). This enables:

  • Private IP assignment for your servers
  • Internal network communication between services
  • Enhanced security through network isolation

Database Connections

For databases like PostgreSQL, MySQL, and MariaDB:

  • Preferred: Use private for DATABASE_URL to ensure connections stay within your private network
  • Fallback: Public endpoints are available but should only be used when private networking isn’t possible
  • Security: Private networking reduces exposure to potential attacks and unauthorized access

Example environment variable configuration:

DATABASE_URL=postgres://user:pass@private-ip:5432/dbname

Cache Services

Redis

  • MUST USE private networking
  • Even with password protection, public Redis endpoints will trigger security warnings:
    • “Possible SECURITY ATTACK detected…”
    • These warnings indicate your Redis instance is potentially vulnerable
  • Configure using private endpoints: 
    REDIS_URL=redis://user:pass@private-ip:6379

Memcached

  • CRITICAL: Must ONLY be accessed via private network
  • No built-in authentication mechanism
  • Extremely vulnerable if exposed to public internet
  • Always use private networking: 
    MEMCACHED_URL=memcached://private-ip:11211

Network Configuration

  1. Choose “Create New VPC (Blossom managed)” during cluster creation
  2. Blossom automatically configures private networking
  3. Services receive both public and private IPs
  4. Use private IPs for inter-service communication

Existing Networks

If using existing networks, ensure:

  1. Private subnet configuration is properly set up
  2. Security groups or firewall rules allow internal communication
  3. Services can reach each other via private IPs

Security Checklist

✅ Use Blossom Managed Networks when creating new clusters

✅ Configure services to use private endpoints

✅ Never expose Memcached to public internet

✅ Use private Redis endpoints to avoid security warnings

✅ Review service connection strings to ensure private endpoints are used

Services Setup
Blossom Docs