Restricting access to IBM Cloud Logs from a network zone
In this tutorial, you will set up context-based restrictions that prevent any access to the IBM Cloud Logs instance unless the request originates from an allowed network zone.
Before you begin
Before you use context-based restrictions with an IBM Cloud Logs instances you need:
- An instance of IBM Cloud Logs
- A role of
Administrator
for context-based restrictions
Navigate to the context-based restrictions console
- Log in to your IBM Cloud account.
- Click Manage > Context-based restrictions.
Create a new rule
- Click Rules.
- In the service section, select IBM Cloud Logs from the menu.
- In the APIs section, select All in Service APIs.
Scope the rule
Now, you can choose the resources where you want to apply the context-based restrictions. You can specify a particular instance, or you can apply the restrictions to all IBM Cloud Logs instances.
In this tutorial, you will choose a specific IBM Cloud Logs instance.
- In the resources section, select specific resources.
- Click Add a condition and select the Service instance option from the menu.
- Select the IBM Cloud Logs instance you want the rule to affect.
- Click Continue.
![Scope the rule](/images/logs-cbr-tutorial/cbr_1.png)
Create a network zone
Now that you know which resources the rule will affect, you need to define what the rule will allow. To do this, create a new network zone and apply it to the rule.
-
In the network zone section, Click Create + .
-
Provide a meaningful name and description for the network zone.
-
Add the IP addresses to the
Allowed IP addresses
field. Only these IP addresses will be permitted to interact with the IBM Cloud Logs instance you selected in the previous step.Create a network zone -
Click Next and then Create.
-
Select the newly created network zone and click Add.
-
Click Continue.
Describe your rule
In the final step, you can add a description for the rule and choose how you want to enforce it. Once you've made your selections, click Create.
![Scope the rule](/images/logs-cbr-tutorial/cbr_3.png)
After you create, enforce, or disable enforcement of a rule, it might take up to 10 minutes for the change to take effect.
Verify the rule
An easy way to verify whether the rule is working as expected is to try accessing your IBM Cloud Logs instance's dashboard from IPs other than those allowed. You should be blocked from accessing the dashboard.
Next, try accessing the dashboard from an allowed IP address. You should be able to access the dashboard.
Another way to verify the rule is through CLI commands. If you try to run commands from an IP address that is not allowed for the specified instance, the command will fail with
a forbidden
error message.
Example command : ibmcloud logs alerts
![Scope the rule](/images/logs-cbr-tutorial/cbr_4.png)