IBM Cloud Docs
Restricting access to integrated services from IBM Cloud Logs using context-based restrictions

Restricting access to integrated services from IBM Cloud Logs using context-based restrictions

In this tutorial, you will set up context-based restrictions that will allow access to the following integrated services: IBM Cloud Object Storage and Event Notifications, but only for requests originating from an IBM Cloud Logs service instance.

Before you begin

Before you use context-based restrictions with integrated services to only allow requests from an IBM Cloud Logs service you need:

  • An instance of your targeted service
  • An instance of IBM Cloud Logs
  • A role of Administrator for context-based restrictions

Navigate to the context-based restrictions console

  1. Log in to your IBM Cloud account.
  2. Click Manage > Context-based restrictions.

Create a network zone

First, create a network zone with the IBM Cloud Logs service as a service reference. This network zone will allowlist all IBM Cloud Logs service IPs either for specific locations or for all locations (default).

  1. Click Network Zones
  2. Give a meaningful name to your zone.
  3. Scroll down to the Reference a service section and select IBM Cloud Logs from the services menu.
  4. Optionally, you can choose to allow access only for a specific location or for multiple locations from the locations menu.
  5. Click + to add the service reference.
  6. Click Next, then click Create.

Create a new rule

Next, create the rule for the targeted service.

  1. Click Rules.
  2. In the service section, select either IBM Cloud Object Storage, Event Notifications or Event Streams from the menu.
  3. In the APIs section, select All.

Scope the rule

Now, you can choose the resources where you want to apply the context-based restrictions. You can specify a particular instance, or you can apply the restrictions to all instances.

  1. In the resources section, select specific resources.
  2. Select the service instance that you want the rule to apply to.
  3. Click Continue.

Now, select the network zone created in the previous steps.

  1. Select the network zone and click Add.
  2. Click Continue.

Describe your rule

In the final step, you can add a description for the rule and choose how you want to enforce it. Once done, click Create to activate your new rule.

After you create, enforce, or disable enforcement of a rule, it might take up to 10 minutes for the change to take effect.

Verify the rule

An easy way to verify whether the rule is working as expected is to try accessing your integrated IBM Cloud Object Storage, Event Notifications or Event Streams instances through the IBM Cloud console. Since we've restricted access to these services from IBM Cloud Logs service only, you should be blocked from accessing the instance through the console.

To access your service instance from the console, you can edit the network zone created earlier and add your IP address to the allowed list.

To verify if the IBM Cloud Logs service can access the IBM Cloud Object Storage service, check whether you are able to see the IBM Cloud Object Storage instance buckets, where the rule was applied, in the list of buckets that can be attached to your IBM Cloud Logs instance.

IBM Cloud Object Storage buckets are listed in the bucket list while configuring the storage for your IBM Cloud Logs instance
Verify configured buckets

Similarly, to verify whether the IBM Cloud Logs service can access the Event Notifications service, try sending a test notification from your allowed IBM Cloud Logs instance. For detailed instructions on setting up this integration, see Configuring an outbound integration to connect IBM Cloud Logs with Event Notifications.

Sending a test notification via IBM Cloud Logs
Sending a test notification

Similarly, to verify whether the IBM Cloud Logs service can access the Event Streams service, try sending a test stream from your allowed IBM Cloud Logs instance. For detailed instructions on setting up this integration, see Integrating IBM Cloud Logs with Event Streams

Sending a sample test stream via IBM Cloud Logs
Verify using CBR with Event Streams