Guides / Security

Algolia Vault

Algolia Vault is an additional security feature that is only available as an add-on to your plan. See our pricing page to learn more.

Algolia Vault comes into play when you need an extra level of security and control over your data, beyond typical use-cases.

For example, you might have medical records for a digital healthcare service or personal user data that you strictly need to keep accessible by internal users. Algolia Vault exists to satisfy strict technical or compliance requirements that call for disk encryption and firewall to control access.

At its core, Algolia Vault provides two things:

  • AES-256 disk encryption at rest, upon cluster creation, with per-server keys.
  • Configurable firewall to restrict access to specific IP addresses.

Disk encryption

Algolia Vault applies disk encryption with 256-bit AES to all data at rest, right when you create your cluster. You must set it up before starting to use Algolia, and cannot turn it off. If you didn’t turn on Algolia Vault before creating the cluster, the only way to enable it afterward is to create an entirely new encrypted cluster and to migrate your data to it.

Firewall

Algolia Vault gives you access to a firewall feature. It applies to both indexing and search API calls and provides network-level control over which IP addresses have access to your data you’re storing at Algolia. Your data is accessible to the IP addresses you specify (up to 1,000) and forbidden to any other.

You can configure the firewall via the REST API or the dashboard, under the Infra tab.

All applications on the same cluster share the same firewall configuration.

Enabling and disabling the firewall

By default, the firewall is disabled, and all IP addresses (or “sources”) can reach the server as long as they provide a valid application ID and API key. As soon as you enable the firewall, only whitelisted sources can access your data. The firewall is on as soon as you perform a call to set up the whitelist.

To let the Algolia support team access the API, you can add a specific source called ALGOLIA_SUPPORT.

To disable the firewall, you can pass 0.0.0.0/0 to the configuration.

Using the firewall with InstantSearch

In some types of IP-restricted implementations, you might not be able to implement InstantSearch directly from the front end. However, you can still use InstantSearch by implementing a back-end proxy that makes all the requests from your whitelisted server.

As with any proxy, this can’t be as fast as with a front-end InstantSearch implementation. However, you can still implement a full InstantSearch experience with all its features while enforcing strict access restrictions.

Did you find this page helpful?