Vercel Secure Compute

With Secure Compute, you can create private connections between Serverless Functions and your backend cloud, such as databases and other private infrastructure.

Currently, you need to allow all IP addresses on your backend cloud for your Vercel deployment to be able to connect to it. For security and compliance reasons, you may not be permitted to publicly expose your backend cloud. Even if authentication is required, exposing data sources to the world can be unsafe.

By enabling Secure Compute on your Project, your deployments and build container will be placed in a private network with dedicated IP addresses in a region of your choice and logically separated from other containers.

When you enable Secure Compute on a Project, Vercel places your project's build container and subsequent deployment inside a private network with a specific IP address pair (dedicated IP). You can choose to exclude the build container from the private network.

Secure Compute is managed through the Dashboard as private networks with automatic IP pair assignment. When you request access to Secure Compute, one private network is created in a Serverless Function region of your choice. You can have multiple private networks in the same Team by requesting it from the Dashboard.

To learn how to attach your Project to your private network, see the Add a Project to your private network section.

Each private network is deployed in a Serverless Function region. For the best performance, we recommend that the private network's region is in the same region as your backend cloud.

When using Secure Compute, you can specify a failover region using the functionFailoverRegions property in your project's vercel.json.

For your failover region to use Secure Compute, you need to contact sales to create an additional private network in that region. Once created, you can set that region as your failover region.

Once the IP pair is ready, you can use it to create an access control list to your backend. In addition to using the IP addresses to authenticate your requests, it is required to use a user/password combination or an authentication key.

Under a specific Team, you can connect a private network with your Project's deployment's environment, namely Serverless Functions and Incremental Static Regeneration (ISR).

You can use one private network with multiple Projects in the same Team. In this case, the same IP pair is shared across multiple Projects.

If you require additional security or have a large team, you can have one private network for each Project so that each Project will have its own dedicated IP pair.

If your Serverless Functions are deployed in multiple regions, you can use multiple private networks to have different IP pairs in each region.

In this case, you can allocate different IP addresses to test projects, internal tools and public facing platforms for improved manageability and security.

If your current security and compliance obligations require more than dedicated IP addresses, contact us for guidance related to your specific needs.

You can add multiple Projects to one private network from the Team Settings page of your Vercel Dashboard. Once this is done, you can use the associated dedicated IP pair of the private network with your data sources.

1. Navigate to your Team's Settings page
2. Select the Secure Compute link
3. Under the existing Private Network, select Assign Projects
4. From the Assigned Projects dropdown, select one or more Projects that you would like to connect to the IP pair of this private network
5. Click Save to apply your changes

To update the list of Projects assigned to the IP pair:

1. Click the icon to the right of your private network and click Edit
2. Under Name, update the private network's name
3. You can add more Projects using the Assigned Projects dropdown
4. You can disconnect existing Projects by clicking the icon to the right of each Project in the list
5. Click Save to apply your changes

You can opt the build container out of using the dedicated IP addresses. This is useful if your application only calls your data sources at run time and not at build time. If you do this, you will not face the build delay limitation explained in Limits below.

You can do this for specific Project/s by:

• Clicking the icon to the right of your private network and clicking Edit
• Uncheck Run builds in this private network for the Project row under Assigned Projects
• Click Save

When connected to a Secure Compute private network, builds experience a 2-minute delay as they provision a secure build container. We are working on reducing this delay.

When this happens, your build is marked as Provisioning Container in the dashboard.