Concepts / Security / Algolia Vault
Nov. 14, 2019

Algolia Vault

Algolia Vault is an additional security feature that is only available on the Enterprise plan. See our pricing page to learn more.

Algolia Vault comes into play when you have requirements for an extra level of security and control over your data, beyond regular use-cases. For example, you might have medical records for a digital healthcare service, or personal user data that you need to strictly keep accessible by internal users.

Algolia Vault exists to satisfy these kinds of strict technical/compliance requirements that call for disk encryption and firewall to control access.

Algolia Vault is not turned on by default. You need to explicitly communicate that you need it enabled before the clusters are created, because this is when we encrypt them — only once, and for good.

What comes with Algolia Vault?

At its core, Algolia Vault is two things:

  • AES-256 disk encryption at rest, upon cluster creation, with per-server keys.
  • Configurable firewall to restrict access to specific IP addresses.

Disk encryption

Disk encryption with 256-bit AES is applied to all data at rest, right when the cluster is created. You must set it up before starting to use Algolia, and cannot turn it off. If you didn’t turn on Algolia Vault when creating the cluster, the only way to enable it afterward is to create a completely new encrypted cluster, and to migrate your data to it.

Firewall

With Algolia Vault enabled, you get access to the firewall feature. Its rules apply to both indexing and search API calls, and provide network-level control over which IP addresses have access to the data you’re storing at Algolia. Your data is accessible to the IP addresses you specify (up to 1000), and forbidden to any other.

You can configure the firewall via the REST API or the dashboard, under the Infra tab.

All applications on the same cluster share the same firewall configuration.

Enabling and disabling the firewall

By default, the firewall is not enabled, and all IP addresses (or “sources”) can reach the server. They still need to provide a valid application ID and API key to access the data stored on the cluster. However, as soon as the firewall is enabled, only whitelisted sources get to access your data. The firewall is turned on as soon as you perform a call to set up the firewall whitelist.

To specifically allow the Algolia support team access to the API, you can add a special source called ALGOLIA_SUPPORT.

To disable the firewall completely, pass 0.0.0.0/0 to the firewall configuration.

InstantSearch in an IP-controlled environment

In some types of IP-restricted implementations, you might not be able to implement InstantSearch directly. However, you can still use InstantSearch by implementing a back end proxy that makes all the requests from your whitelisted server. As with any proxy, this isn’t as fast as with a front end InstantSearch implementation. However, it still allows you to implement a full InstantSearch experience with all its features while enforcing that the data comes from your own server.

Did you find this page helpful?