Automate schema migrations using DizzleORM and GitHub Actions - Manage thousands of tenants with this workflow
Docs/Features/Protected branches

Protected branches

Learn how to use Neon's protected branches feature to secure your critical data

Neon's protected branches feature implements a series of protections:

  • Protected branches cannot be deleted.
  • Protected branches cannot be reset.
  • Projects with protected branches cannot be deleted.
  • Computes associated with a protected branch cannot be deleted.
  • New passwords are automatically generated for Postgres roles on branches created from protected branches. See below.
  • With additional configuration steps, you can apply IP Allow restrictions to protected branches only. The IP Allow feature is available on the Neon Scale and Business plans. See below.

The protected branches feature is available on all Neon paid plans.

Set a branch as protected

This example sets a single branch as protected, but you can have up to 5 protected branches.

To set a branch as protected:

  1. In the Neon Console, select a project.

  2. Select Branches to view the branches for the project.

    Branch page

  3. Select a branch from the table. In this example, we'll configure our default branch main as a protected branch.

  4. On the branch page, click the Actions drop-down menu and select Set as protected.

    Set as protected

  5. In the Set as protected confirmation dialog, click Set as protected to confirm your selection.

    Set as protected confirmation

    Your branch is now designated as protected, as indicated by the protected branch shield icon, shown below.

    Branch page badge

    The protected branch designation also appears on your Branches page.

    Branches page badge

New passwords generated for Postgres roles on child branches

When you create a branch in Neon, it includes all Postgres databases and roles from the parent branch. By default, Postgres roles on the child branch will have the same passwords as on the parent branch. However, this does not apply to protected branches. When you create a child branch from a protected branch, new passwords are generated for the matching Postgres roles on the child branch.

This behavior is designed to prevent the exposure of passwords that could be used to access your protected branch. For example, if you have designated a production branch as protected, the automatic password change for child branches ensures that you can create child branches for development or testing without risking access to data on your production branch.

Please note that resetting or restoring a child branch from a protected parent branch preserves passwords for matching Postgres roles on the child branch. Please refer to the feature notes below for more.

Feature notes

  • The "new password" feature for child branches was released on July, 31, 2024. If you have existing CI scripts that create branches from protected branches, please be aware that passwords for matching Postgres roles on those newly created branches will now differ. If you depend on those passwords being the same, you'll need to make adjustments to get the correct connection details for those branches.
  • Prior to September, 6, 2024, resetting or restoring a child branch from a protected parent branch restored passwords for matching Postgres roles on the child branch to those used on the protected parent branch. As of September, 6, 2024, passwords for matching Postgres roles on the child branch are preserved when resetting or restoring a child branch from a protected parent branch.

How to apply IP restrictions to protected branches

On Neon's Business plan, you can use the protected branches feature in combination with Neon's IP Allow feature to apply IP access restrictions to protected branches only. The basic setup steps are:

  1. Define an IP allowlist for your project
  2. Restrict IP access to protected branches only
  3. Set a branch as protected (if you have not done so already)

Define an IP allowlist for your project

To configure an allowlist:

  1. Select a project in the Neon Console.
  2. On the Project Dashboard, select Settings.
  3. Select IP Allow. IP Allow configuration
  4. Specify the IP addresses you want to permit. Separate multiple entries with commas.
  5. Click Save changes.

For details about specifying IP addresses, see How to specify IP addresses.

Restrict IP access to protected branches only

After defining an IP allowlist, the next step is to select the Restrict access to protected branches only option.

IP Allow configuration

This option removes IP restrictions from all branches in your Neon project and applies them to protected branches only.

After you've selected the protected branches option, click Save changes to apply the new configuration.

Remove branch protection

Removing a protected branch designation can be performed by selecting Set as unprotected from the Actions menu on the branch page.

Need help?

Join our Discord Server to ask questions or see what others are doing with Neon. Users on paid plans can open a support ticket from the console. For more details, see Getting Support.

Last updated on

Was this page helpful?