Example context-based restrictions scenarios
With context-based restrictions, account owners and administrators can define and enforce access restrictions for IBM Cloud® resources, based on the context of access requests. Access to Cloud Databases resources can be controlled with context-based restrictions and identity and access management policies. For more information, see Protecting Cloud Databases resources with context-based restrictions.
Restrict traffic to your deployment by using Cloud Databases Allowlisting
In this example scenario, you use context-based restrictions to restrict traffic to your IBM Cloud® Databases for MySQL cluster in the in-che
region by allowing only the set of subnets from the Cloud Databases Allowlist page to connect to your deployment.
In the following steps, you start by creating a network zone, or allowlist, that includes your subnets. Then, you create a context-based restrictions rule for your deployment. When you create the rule, you associate it with the network zone that contains the individual IP address.
Prerequisites
Before beginning this tutorial, make sure you have created or installed the following resources and tools.
- An IBM Cloud account. For more information, see Creating an account.
- The Cloud Databases CLI plug-in - the CLI interface to interact with the Cloud Databases API. For more information, see Getting started with the IBM Cloud CLI.
- A Cloud Databases deployment. For more information, see Provisioning.
- Review the What are context-based restrictions docs to get an understanding of concepts of network zones and rules.
- Review the Protecting Cloud Databases resources with context-based restrictions docs to understand how you can leverage CBR for your Cloud Databases resources.
Creating your network zone in the CLI
Provision your service from the IBM Cloud Catalog and choose your IP addresses from the Cloud Databases Allowlist page.
-
Run the following example command to create a network that includes a range of allowed IP addresses.
ibmcloud cbr zone-create --addresses=169.38.95.127/27,169.38.121.159/28,169.38.132.127/25,169.38.136.255/26,169.38.73.151/29,169.38.105.79/29,10.162.8.127/26,10.163.20.127/25,10.162.115.103/29,10.162.132.79/29 --name=tutorial_zone
-
Verify the network zone was created.
ibmcloud cbr zones
Creating your CBR rule in the CLI
-
After you create your network zone (allowlist), create a context-based restrictions rule and add the network zone you created in the previous step. The following example creates a rule that uses the
data-plane
API type. ReplaceZONE-ID
with the ID of thetutorial_zone
network zone that you created in Step 1.ibmcloud cbr rule-create --enforcement-mode enabled --context-attributes networkZoneId=<ZONE-ID> --resource-group-id <RESOURCE_GROUP_ID> --service-name databases-for-mysql --service-instance <SERVICE-INSTANCE> --api-types crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane --description <DESCRIPTION>
Understanding the command options.
--context-attributes (string)
- Contexts to add to the rule. Can only pass in one
networkZoneId
field at a time. This option can be repeated to add multiple network zones. Please use this if you need to specify theendpointType
with thenetworkZoneId
. --zone-id (string)
- Shorthand for adding context attribute
networkZoneId
to the context without specifying endpoint. --resource-attributes (string)
- Resources to add to the rule.
--resource-group-id (string)
- Shorthand for creating IBM Cloud resource attribute
resourceGroupId
. Used to restrict the rule to a single resource group. --region (string)
- Shorthand for creating IBM Cloud resource attribute
region
. Used to restrict the rule to a single region. --service-name (string)
- Shorthand for creating IBM Cloud resource attribute
serviceName
. --service-instance (string)
- GUID of the service instance to scope the context to. This option can be omitted if the context applies to more than one of you service instances. This option is exclusive with the
--file
option.
-
Verify the rule was created.
ibmcloud cbr rules
Testing your context-based restrictions
To test your context-based restrictions setup, try connecting to your deployment from an IP address other than the IP addresses that you allowlisted in your network zone. With this setup, only the IP addresses in your network zone can connect to your deployment.