IBM Cloud Docs
Example context-based restrictions scenarios

Example context-based restrictions scenarios

With context-based restrictions, account owners and administrators can define and enforce access restrictions for IBM Cloud® resources, based on the context of access requests. Access to Cloud Databases resources can be controlled with context-based restrictions and identity and access management policies. For more information, see Protecting Cloud Databases resources with context-based restrictions.

Restrict traffic to your deployment by using Cloud Databases Allowlisting

In this example scenario, you use context-based restrictions to restrict traffic to your IBM Cloud® Databases for MySQL cluster in the in-che region by allowing only the set of subnets from the Cloud Databases Allowlist page to connect to your deployment.

In the following steps, you start by creating a network zone, or allowlist, that includes your subnets. Then, you create a context-based restrictions rule for your deployment. When you create the rule, you associate it with the network zone that contains the individual IP address.

Prerequisites

Before beginning this tutorial, make sure you have created or installed the following resources and tools.

Creating your network zone in the CLI

Provision your service from the IBM Cloud Catalog and choose your IP addresses from the Cloud Databases Allowlist page.

  1. Run the following example command to create a network that includes a range of allowed IP addresses.

    ibmcloud cbr zone-create --addresses=169.38.95.127/27,169.38.121.159/28,169.38.132.127/25,169.38.136.255/26,169.38.73.151/29,169.38.105.79/29,10.162.8.127/26,10.163.20.127/25,10.162.115.103/29,10.162.132.79/29 --name=tutorial_zone
    
  2. Verify the network zone was created.

    ibmcloud cbr zones
    

Creating your CBR rule in the CLI

  1. After you create your network zone (allowlist), create a context-based restrictions rule and add the network zone you created in the previous step. The following example creates a rule that uses the data-plane API type. Replace ZONE-ID with the ID of the tutorial_zone network zone that you created in Step 1.

    ibmcloud cbr rule-create --enforcement-mode enabled --context-attributes networkZoneId=<ZONE-ID> --resource-group-id <RESOURCE_GROUP_ID> --service-name databases-for-mysql --service-instance <SERVICE-INSTANCE> --api-types crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane --description <DESCRIPTION>
    

    Understanding the command options.

    --context-attributes (string)
    Contexts to add to the rule. Can only pass in one networkZoneId field at a time. This option can be repeated to add multiple network zones. Please use this if you need to specify the endpointType with the networkZoneId.
    --zone-id (string)
    Shorthand for adding context attribute networkZoneId to the context without specifying endpoint.
    --resource-attributes (string)
    Resources to add to the rule.
    --resource-group-id (string)
    Shorthand for creating IBM Cloud resource attribute resourceGroupId. Used to restrict the rule to a single resource group.
    --region (string)
    Shorthand for creating IBM Cloud resource attribute region. Used to restrict the rule to a single region.
    --service-name (string)
    Shorthand for creating IBM Cloud resource attribute serviceName.
    --service-instance (string)
    GUID of the service instance to scope the context to. This option can be omitted if the context applies to more than one of you service instances. This option is exclusive with the --file option.
  2. Verify the rule was created.

    ibmcloud cbr rules
    

Testing your context-based restrictions

To test your context-based restrictions setup, try connecting to your deployment from an IP address other than the IP addresses that you allowlisted in your network zone. With this setup, only the IP addresses in your network zone can connect to your deployment.