Algolia Vault is an additional security feature that is only available as an add-on to your plan. See the pricing page to learn more.
Algolia Vault gives you an extra level of security and control over your data, beyond typical use-cases.
For example, a digital healthcare service might have medical records or personal user data that needs to be accessible to internal users only. Algolia Vault exists to meet strict technical or compliance requirements that call for disk encryption and restricted access.
At its core, Algolia Vault provides two things:
- Advanced Encryption Standard (AES), specifically AES-256, for disk encryption at rest, with per-server keys.
- Configurable firewall to restrict access to specific IP addresses.
Algolia Vault applies disk encryption with 256-bit AES to all data at rest, right when you create your cluster. You must set up Vault before indexing data to Algolia, and can’t turn it off. If you didn’t turn on Algolia Vault before creating the cluster, you must create an entirely new encrypted cluster and migrate your data to it.
Algolia Vault gives you access to a firewall feature. The firewall applies to both indexing and search API calls. It provides network-level control over which IP addresses have access to the data you’re storing with Algolia. Your data is accessible to the IP addresses you specify and forbidden to any others. You can specify up to 1,000 IP addresses to allow access to.
All applications on the same cluster share the same firewall configuration.
Enabling and disabling the firewall
By default, the firewall is turned off, and all IP addresses, or “sources,” can reach the server as long as they provide a valid application ID and API key. As soon as you enable the firewall, only sources on your allowlist can access your data. You turn the firewall on as soon as you set up the allowlist.
To let the Algolia support team access the API, you can add a specific source called
To turn off the firewall, you can pass
0.0.0.0/0 to the configuration.
Using the firewall with InstantSearch
In some types of IP-restricted implementations, you might not be able to implement InstantSearch directly from the front end. You can still use InstantSearch by implementing a back-end proxy that makes all the requests from your allowlisted server.
As with any proxy, this isn’t as fast as with a front-end InstantSearch implementation. However, it lets you implement a full InstantSearch experience with all its features while enforcing strict access restrictions.