IBM Cloud Docs
Using IAM IP address access restrictions with Event Streams

Using IAM IP address access restrictions with Event Streams

If you want to enable IAM IP address access restrictions, you must ensure that the Cloud Identity and Access Management (IAM) IP allowlist is configured so that the Event Streams authentication and authorization service, which is used to authenticate and authorize the Kafka client, can still function.

Using the Event Streams Satellite plan with the IP address restrictions is not yet supported. Although you can enable IP address restrictions in your account, Event Streams Satellite plan clusters do not accept messages. Support for co-existence is in plan. As a workaround, provision Event Streams Satellite plan clusters from a separate account.

Granting access if you use Event Streams over the public network

If you use Event Streams over the public network, you must add the IP addresses of any computers that access Kafka API endpoints and REST API endpoints to the Cloud Identity and Access Management (IAM) IP allowlist.

Granting access if you use Event Streams over the private network (Enterprise plan only)

If you use Event Streams over the private network, you must add the Event Streams's own private IP addresses for the appropriate cluster to the Cloud Identity and Access Management (IAM) IP allowlist. You can find these IP addresses with the following command:

ibmcloud resource service-instance <event-streams-instance-name> --output json

Find the extensions.virtual_private_endpoints.endpoints.ip_address section from the output, add the three 166.9.x.x IP addresses to the Cloud Identity and Access Management (IAM) IP allowlist, as in the following example. These addresses are static and remain for the life of the service instance.

    {
        "extensions": {
            "virtual_private_endpoints": {
                "dns_domain": "private.us-south.messagehub.appdomain.cloud",
                "dns_hosts": [
                    "kafka-0-mh-int-pipe-mis-cfxdrmzjgs",
                    "kafka-1-mh-int-pipe-mis-cfxdrmzjgs",
                    "kafka-2-mh-int-pipe-mis-cfxdrmzjgs",
                    "mh-int-pipe-mis-cfxdrmzjgs"
                ],
                "endpoints": [
                    {
                        "ip_address": "166.9.12.189",
                        "zone": "dal10"
                    },
                    {
                        "ip_address": "166.9.16.225",
                        "zone": "dal13"
                    },
                    {
                        "ip_address": "166.9.15.61",
                        "zone": "dal12"
                    }
                ],
                "origin_type": "cse",
                "ports": [
                    {
                        "port_max": 9093,
                        "port_min": 443
                    }
                ]
            }
        }
    }

This action is required for private connections because the source IP address that Event Streams receives is the IP address of the IBM Cloud service endpoint and not the IP from where the request originated.

You can also restrict access on the Event Streams Enterprise instance using context-based restrictions. For more information, see Restricting network access by using the Enterprise plan.