IBM Cloud Docs
Protecting resources with context-based restrictions

Protecting resources with context-based restrictions

Context-based restrictions provide a way for administrators to limit access to resources. What if certain data must be accessed from trusted networks only? A properly configured policy restricts all access to data unless the request originates from an approved network zone and endpoint type (public, private, or direct).

Using context-based restrictions

A context-based restriction is comprised of a rule and one or more contexts (network zones and/or endpoint type). These restrictions do not replace IAM policies, but simply check that a request is coming from an allowed context, such as a range of IP addresses, VPCs, or service references.

A user must have the Administrator role on a service to create, update, or delete rules. A user must have either the Editor or Administrator role to create, update, or delete network zones.

You can learn more about how context-based restrictions work in the detailed documentation, or you can follow these tutorials:

Protecting IBM Cloud Logs resources

You can create CBR rules to protect specific regions, resource groups and instances.

Instance
Protects a specific IBM Cloud Logs instance. If you select an instance in your CBR rule, only traffic from resources in the network zones that you associate with the rule can interact with that instance.
Region
Protects IBM Cloud Logs resources in a specific region. If you select a region in your CBR rule, then only traffic from resources in the network zones that you associate with the rule can interact with resources in that region.
Resource group
Protects IBM Cloud Logs resources in a specific resource group.

Creating network zones

A network zone represents an allowlist of IP addresses where an access request is created. It defines a set of one or more network locations that are specified by the following attributes:

  • IP addresses, which include individual addresses, ranges, or subnets.
  • VPCs
  • Service references, which allow access from other IBM Cloud services.

Creating network zones from the console

  1. Determine the resources that you want add to your allowlist.
  2. Follow the steps to create context-based restrictions in the console. Add the IBM Cloud Logs service as a service reference to your network zones to allow IBM Cloud Logs access to services and resources in your account.

Creating rules

Define rules to protect access to resources in your account. The contexts that you define in your rules determine how the resources in your network zones (allowlists) can interact with the resources defined in the rule.

Creating rules from the console

  1. Review the available contexts and determine the rules that you want to create.

  2. Follow the steps to create context-based restrictions in the console.

Limitations

  • After you create, enforce, or disable enforcement of a rule, it might take up to 10 minutes for the change to take effect.
  • An account is limited in the number of rules and network zones that can be supported. For more details see Context-based restrictions limits.