Restricting access by network context
Context-based restrictions provide a way for administrators to limit access to resources. What if certain data must be accessed from trusted networks only? A properly configured policy restricts all access to data unless the request originates from an approved network zone and endpoint type (public, private, or direct).
To restrict access, you must be the account owner or have an access policy with the administrator role on all account management services.
Overview
To restrict access, you must create zones and rules.
First, create a zone with the appropriate details for network or resource definitions. Then, attach that zone to the specified resource to restrict access. You can create zones and rules by using a ReSTful API or with context-based restrictions. After you create or update a zone or a rule, it might take a few minutes for the change to take effect.
CBR rules do not apply to provisioning or deprovision processes.
Understanding network zones
By creating network zones, you can define an allowlist of network locations where access requests originate, to determine when a rule can be applied. The list of network locations can be specified by using IP addresses, such as individual addresses, ranges or subnets, and Virtual Private Cloud (VPC) IDs.
After you create a network zone, you can add it to a rule.
Creating network zones by using the CBR API
The API supports defining network zones by connecting to public (for example, cbr.cloud.ibm.com) and private endpoints (for example, private.cbr.cloud.ibm.com).
Use GET /v1/zones
to list the zones. By using POST /v1/zones
, you can create a new zone with the appropriate information. For more information, including a request body example, see Creating network zones by using the API.
You can determine which services are available by checking for reference targets.
Creating network zones by using the CBR UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
Instead of creating a zone by using UI inputs, you can use the JSON code form to create a zone by clicking Enter as JSON code.
Understanding network rules
After you create your zones, you can attach the zones to your network resources by creating rules. When you add resources to a rule, you can choose from the available types of endpoints that are specific to your network topology.
Create network rules by using the CBR API
You can define network rules with the API by using the information that you collected from creating network zones.
By using GET /v1/rules
with the endpoints that you chose, you can view a list of current rules. Use POST /v1/rules
to create new rules. For more information, including a request body example, see Creating rules by using the API.
Creating network rules by using the CBR UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
You can use the CBR UI to add resources and contexts to your network rules. Keep in mind the limitations.
Context-based restrictions check that an access request comes from an allowed context that you configure. Also, the rules might not take effect immediately due to synchronization and resource availability.
Next steps
You must follow the creation or modification of zones or rules with adequate testing to ensure access and availability.
Users who attempt to access your resources outside of the defined zones receive HTTP error 401
when the appropriate rules are not established.