Vercel Secure Compute

Vercel Secure Compute allows you to establish secure connections between Vercel and backend environments.
Table of Contents

Secure Compute is available for purchase on Enterprise plans

With Secure Compute, you can create private connections between Vercel Functions and your backend cloud, like databases or other private infrastructure.

Currently, Vercel deployments require you to allow all IP addresses on your backend cloud. For security reasons, publicly exposing your backend cloud, even with authentication, can be risky.

Enabling Secure Compute on your project attaches your deployments and build container to a Secure Compute network with dedicated IP addresses in a region of your choice, separated from other customers instances.

Interested in Secure Compute?

If you would like to use Secure Compute to increase your level of security, compliance, and privacy, contact us to discuss upgrading to Enterprise.

When you request access to Secure Compute, provide your AWS region, and optionally, a CIDR block. Vercel creates a Secure Compute network in the specified region with the following properties:

  • A pair of dedicated IP addresses
  • AWS account ID
  • AWS region based on your request
  • AWS VPC ID
  • CIDR block based on your request
Secure Compute network settings.
Secure Compute network settings.

When you enable Secure Compute on a project, Vercel attaches your project's build container and subsequent deployment inside a Secure Compute network with a specific IP address pair (dedicated IP). You can choose to exclude the build container from the private network.

Each private network has its own dedicated IP pair and is isolated from others, ensuring no sharing across teams. You can assign multiple projects to a Secure Compute network, but each project belongs to only one active and one passive network.

You can also request additional Secure Compute networks for the same team by using the Contact Sales button on Secure Compute page of the dashboard.

Once the IP pair is ready, you can use it to create an access control list to your backend. In addition to using the IP addresses to authenticate your requests, it is required to use a user/password combination or an authentication key.

When you request access to Secure Compute, Vercel creates one network in a Vercel Function region of your choice. For the best performance, Vercel recommends that the network's region is in the same region as your backend cloud.

Vercel applies Secure Compute to Vercel Functions using the following runtimes:

The Edge Runtime is not supported meaning features like Edge Middleware and Vercel Functions using the edge runtime will not use the provided dedicated IP addresses.

For your failover region to use Secure Compute, you need to contact sales to create an additional Secure Compute network in that region. Once created, you can connect a project to that network and enable passive failover.

When you enable passive failover, Vercel will automatically switch to the failover region if the primary region is unavailable. This ensures that your Vercel Functions continue to operate even if the primary region is down.

To add a project to your Secure Compute network:

  1. Navigate to your team's Settings page, and open the Secure Compute section.
  2. Select a network from the list.
  3. Select the Projects tab.
  4. Select a project to add to the network.
  5. Optionally check Include Builds to include the project's build container in the network, and/or Passive to enable passive failover.
  6. Click Connect Project to apply your changes.
Adding a project to a Secure Compute network.
Adding a project to a Secure Compute network.

When you add a project to a Secure Compute network, you can choose to include the project's build container in the network. This is useful if your application calls your data sources at build time.

You can opt the build container out of using the dedicated IP addresses. This is useful if your application only calls your data sources at run time and not at build time.

By opting out of including the build container, you will not incur the 45s delay when provisioning a secure build container.

To manage the build container during the project connection process select Include Builds.

To manage the build container after the project is connected to the Secure Compute network:

  1. Navigate to your team's Settings page, and open the Secure Compute section.
  2. Select a private network from the list.
  3. Select the Projects tab.
  4. Click the icon to the right of your connected project and click Edit.
  5. Check/uncheck Include Builds to include/exclude the project's build container in the network.
  6. Click Save.
Exclude your build from the private network.
Exclude your build from the private network.

You can use one network with multiple projects in the same team. In this case, the same IP pair is shared across multiple projects.

If you require additional security or have a large team, you can have one network for each project so that each project will have its own dedicated IP pair.

If your Vercel Functions are deployed in multiple regions, you can use multiple Secure Compute networks to have different IP pairs in each region.

In this case, you can allocate different IP addresses to test projects, internal tools and public facing platforms for improved manageability and security.

Virtual private cloud (VPC) peering is a method of connecting two VPCs in the same or different region. When you use Secure Compute, Vercel accepts a VPC peering connection between your Vercel Secure Compute network and your AWS VPC.

To set up VPC peering:

  1. Request Secure Compute: Contact Vercel and supply your desired region, and optionally CIDR block. The CIDR blocks of Secure Compute network and your VPC must not overlap.
  2. Set up peering in AWS: In your AWS VPC dashboard, configure the peering connection by copying the values from your Secure Compute network settings, and pasting in the AWS VPC peering connection settings:
    • Requester VPC ID: Your VPC ID
    • Account ID: The AWS account ID
    • Accepter VPC ID: Your Vercel Secure Compute network's VPC Peering ID
    • Region: Your Vercel Secure Compute network's region
  3. Create peering connection: In the AWS VPC peering connection settings, click Create Peering Connection to establish the connection.
  4. Accept peering connection: Go back to your Vercel dashboard and click Accept to accept the connection.
  5. Update route tables: Go to AWS's VPC dashboard, select Route Tables, and configure routing to allow traffic from Vercel's CIDR block.
Secure Compute VPC peering settings.
Secure Compute VPC peering settings.

The connection can be deleted from either the Vercel dashboard, or the AWS VPC dashboard.

If your current security and compliance obligations require more than dedicated IP addresses, contact us for guidance related to your specific needs.

Note: If you require support for VPN connections

Contact Sales

When connected to a Secure Compute network, builds experience up to a 45s delay as they provision a secure build container. When this happens, your build is marked as Provisioning Container in the dashboard.

The maximum number of VPC peering connections that can be established per network is 50.

Last updated on October 31, 2024