Securing connections
Data is the core of your work in Deepnote — that's why we prioritize keeping it safe. Here's how to secure connections to your data and ensure end-to-end privacy.
Connecting to databases on private networks
You can choose one of two ways to authorize Deepnote to connect to your database. You can authorize the set of IP addresses that Deepnote uses to connect or you can connect using an SSH tunnel.
Authorizing Deepnote's IP addresses
Deepnote has five fixed IP addresses you will need to authorize.
3.220.159.34
34.236.123.2
52.5.148.98
3.230.134.18
3.209.101.227
Here are quick-start guides for changing the firewall/security settings:
Using SSH to connect to your data
You can connect to selected data warehouses and database integrations via a secure SSH tunnel that is configurable in the Integrations menu. Deepnote automatically generates a public SSH key for your workspace that you can add it to the authorized keys file (~/.ssh/authorized_keys) on your SSH bastion.
If you query a database with SSH configured from an SQL block, Deepnote will automatically create an SSH tunnel.
The following Integrations support SSH tunnels:
- PostgreSQL
- Microsoft SQL Server
- Amazon Redshift
- MongoDB
- MySQL
- ClickHouse
- MindsDB
- MariaDB
- Dremio
- Trino
SSH Tunnel integration
The SSH Tunnel integration allows you to securely connect to resources in your private network. For example, you may want to connect to an experiment tracking tool (such as MLflow), a database without native integration in Deepnote (such as Redis), or a feature store (such as Feast) hosted on your network.
Deepnote automatically generates a public SSH key for your workspace. You can copy it from the SSH tunnel integration modal and add it to the authorized keys file (~/.ssh/authorized_keys) on your SSH bastion.
When you connect the integration to the project, the SSH tunnel starts in the background and exposes the host and port that you can use to access your data. Here's an example, along with code that demonstrates how to use the SSH Tunnel integration to query a private API that provides daily candles for a given ticker.
import os
import requests
# Get the local host and port from environment variables
# Note – you may need to change the variable names as they contain the integration name
HOST = os.environ['MY_SSH_TUNNEL_LOCAL_HOST']
PORT = os.environ['MY_SSH_TUNNEL_LOCAL_PORT']
# Set up the URL for the API endpoint
url = f'http://{HOST}:{PORT}/daily-candles/XYZ'
# Make the API request
response = requests.get(url)
# Print the response content
print(response.content)
To find the environment variable names for your integration, you can open the three-dot menu of the integration in the right sidebar and click "How to use".
In order to use SSH to connect to SQL databases with a native integration in Deepnote we recommend using the integration setting.
Workspace SSH key
Deepnote automatically generates an SSH private/public key pair for your workspace. The private key is stored securely in Deepnote and used when authenticating an SSH connection from an SQL block. The workspace SSH key is the same for all integrations within that workspace, simplifying deployment when multiple data sources are secured behind the same bastion.
Encrypting your connections with SSL
All database and warehouse integrations support encrypted connections via SSL to make sure your data travels safely over the internet.
Fully managed data warehouses such as Snowflake, Google BigQuery, and Amazon Redshift will have SSL enabled by default. Databases such as Postgres, MySQL, and Microsoft SQL Server may require additional configuration.
By default, Deepnote will always connect using the preferred mode. It will try to use SSL if the database is configured to use it, but it will fall back to an unencrypted connection if not.
To make sure SSL is used, enable the setting when creating a new integration or editing an existing one. This will put the connection in required mode. In this state, encryption is enforced but the certificate of the server is not validated. If the database is not configured to use SSL, the connection will fail.
To run in strict mode, you can upload a CA Certificate for your database or warehouse. We'll verify that the server's certificate is valid.
