Guides / Security

Algolia Vault is available an add-on to your pricing plan.

Algolia Vault gives you an extra level of security and control over your data, beyond typical use-cases.

For example, a digital healthcare service might have medical records or personal user data that needs to be accessible to internal users only. Algolia Vault exists to meet strict technical or compliance requirements that call for disk encryption and restricted access.

At its core, Algolia Vault provides two things:

  • Advanced Encryption Standard (AES-256) for disk encryption at rest, with per-server keys.
  • Configurable firewall to restrict access to specific IP addresses.

Disk encryption

Algolia Vault applies disk encryption with 256-bit AES to all data at rest. You must set up Vault before indexing data to Algolia, and can’t turn it off. If you didn’t turn on Algolia Vault before creating the cluster, you must create an entirely new encrypted cluster and migrate your data to it.

Firewall

Algolia Vault comes with a firewall for both indexing and search API calls. It provides network-level control over which IP addresses have access to the data you’re storing with Algolia. You can allow access for up to 1,000 IP addresses.

You can configure the firewall with the Vaults API, or in the Infrastructure section of the Algolia dashboard.

All applications on the same cluster share the same firewall configuration.

Activate and deactivate the firewall

By default, the firewall is inactive, and all IP addresses (sources) can reach the server as long as they provide a valid application ID and API key. If you add an IP address to the allowlist, the firewall becomes active. As soon as you enable the firewall, only sources on your allowlist can access your data.

To let the Algolia support team access the API, add ALGOLIA_SUPPORT to the allowlist.

To turn off the firewall, add 0.0.0.0/0 to the configuration.

Using the firewall with InstantSearch

In some types of IP-restricted implementations, you might not be able to implement InstantSearch directly from the frontend. You can still use InstantSearch by implementing a backend proxy that makes all the requests from your allowlisted server.

As with any proxy, this isn’t as fast as with a frontend InstantSearch implementation. However, it lets you create a full InstantSearch experience with all its features while enforcing strict access restrictions.

Did you find this page helpful?