Protected branches

Neon's protected branches feature implements a series of protections:

• Protected branches cannot be deleted.
• Protected branches cannot be reset.
• Projects with protected branches cannot be deleted.
• Computes associated with a protected branch cannot be deleted.
• New passwords are automatically generated for Postgres roles on branches created from protected branches. See below.
• With additional configuration steps, you can apply IP Allow restrictions to protected branches only. The IP Allow feature is available on the Neon Business plan. See below.

The protected branches feature is available on all Neon paid plans.

Set a branch as protected

This example sets a single branch as protected, but you can have up to 5 protected branches.

To set a branch as protected:

1. In the Neon Console, select a project.

2. Select Branches to view the branches for the project.

   

3. Select a branch from the table. In this example, we'll configure our default branch main as a protected branch.

4. On the branch page, click the Actions drop-down menu and select Set as protected.

   

5. In the Set as protected confirmation dialog, click Set as protected to confirm your selection.

   

   Your branch is now designated as protected, as indicated by the protected branch shield icon, shown below.

   

   The protected branch designation also appears on your Branches page.

   

New passwords generated for Postgres roles on child branches

When you create a branch in Neon, it includes all Postgres databases and roles from the parent branch. By default, Postgres roles on the child branch will have the same passwords as on the parent branch. However, this does not apply to protected branches. When you create a child branch from a protected branch, new passwords are generated for the matching Postgres roles on the child branch.

This behavior is designed to prevent the exposure of passwords that could be used to access your protected branch. For example, if you have designated a production branch as protected, the automatic password change for child branches ensures that you can create child branches for development or testing without risking access to data on your production branch.

Please note that resetting or restoring a child branch from a protected parent branch preserves passwords for matching Postgres roles on the child branch. Please refer to the feature notes below for more.

How to apply IP restrictions to protected branches

On Neon's Business plan, you can use the protected branches feature in combination with Neon's IP Allow feature to apply IP access restrictions to protected branches only. The basic setup steps are:

1. Define an IP allowlist for your project
2. Restrict IP access to protected branches only
3. Set a branch as protected (if you have not done so already)

Define an IP allowlist for your project

Neon ConsoleCLIAPI

To configure an allowlist:

1. Select a project in the Neon Console.
2. On the Project Dashboard, select Settings.
3. Select IP Allow.
4. Specify the IP addresses you want to permit. Separate multiple entries with commas.
5. Click Save changes.

For details about specifying IP addresses, see How to specify IP addresses.

Restrict IP access to protected branches only

After defining an IP allowlist, the next step is to select the Restrict access to protected branches only option.

This option removes IP restrictions from all branches in your Neon project and applies them to protected branches only.

After you've selected the protected branches option, click Save changes to apply the new configuration.

Remove branch protection

Removing a protected branch designation can be performed by selecting Set as unprotected from the Actions menu on the branch page.