Security architecture drilldown

YugabyteDB Aeon is a fully managed YugabyteDB-as-a-Service that allows you to run YugabyteDB clusters on public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). YugabyteDB Aeon runs on top of YugabyteDB Anywhere. It is responsible for creating and managing customer YugabyteDB clusters deployed on cloud provider infrastructure.

YugabyteDB Aeon high-level architecture

All customer clusters are firewalled from each other. Outside connections are also firewalled according to the IP allow list rules that you assign to your clusters. You can also connect Dedicated (that is, not Sandbox) clusters to virtual private clouds (VPCs) on the public cloud provider of your choice (subject to the IP allow list rules).

Infrastructure security

YugabyteDB Aeon uses both encryption in transit and encryption at rest to protect clusters and cloud infrastructure.

All communication between YugabyteDB Aeon architecture domains is encrypted in transit using TLS. Likewise, all communication between clients or applications and clusters is encrypted in transit. Every cluster has its own certificates, generated when the cluster is created and signed by the Yugabyte internal PKI. Root and intermediate certificates are not extractable from the hardware security appliances.

Data at rest, including clusters and backups, is AES-256 encrypted using native cloud provider technologies - S3 and EBS volume encryption for AWS, Azure disk encryption, and server-side and persistent disk encryption for GCP. Encryption keys are managed by the cloud provider and anchored by hardware security appliances. Customers can enable YugabyteDB encryption at rest and column-level encryption as additional security controls.

YugabyteDB Aeon provides DDoS and application layer protection, and automatically blocks network protocol and volumetric DDoS attacks.

Securing database clusters by default

Yugabyte secures YugabyteDB Aeon databases using the same default security measures that we recommend to our customers to secure their own YugabyteDB installations, including:

  • authentication
  • role-based access control
  • dedicated users
  • limited network exposure
  • encryption in transit
  • encryption at rest

Data privacy and compliance

For information on data privacy and compliance, refer to the Yugabyte DPA.


Yugabyte supports audit logging at the account and database level.

For information on database audit logging, refer to Configure Audit Logging.