Restricting access to integrated services from IBM Cloud Logs using context-based restrictions
In this tutorial, you will set up context-based restrictions that will allow access to the following integrated services: IBM Cloud Object Storage and Event Notifications, but only for requests originating from an IBM Cloud Logs service instance.
Before you begin
Before you use context-based restrictions with integrated services to only allow requests from an IBM Cloud Logs service you need:
- An instance of your targeted service
- An instance of IBM Cloud Logs
- A role of
Administrator
for context-based restrictions
Navigate to the context-based restrictions console
- Log in to your IBM Cloud account.
- Click Manage > Context-based restrictions.
Create a network zone
First, create a network zone with the IBM Cloud Logs service as a service reference. This network zone will allowlist all IBM Cloud Logs service IPs either for specific locations or for all locations (default).
- Click Network Zones
- Give a meaningful name to your zone.
- Scroll down to the Reference a service section and select IBM Cloud Logs from the services menu.
- Optionally, you can choose to allow access only for a specific location or for multiple locations from the locations menu.
- Click + to add the service reference.
- Click Next, then click Create.
Create a new rule
Next, create the rule for the targeted service.
- Click Rules.
- In the service section, select either IBM Cloud Object Storage, Event Notifications or Event Streams from the menu.
- In the APIs section, select All.
Scope the rule
Now, you can choose the resources where you want to apply the context-based restrictions. You can specify a particular instance, or you can apply the restrictions to all instances.
- In the resources section, select specific resources.
- Select the service instance that you want the rule to apply to.
- Click Continue.
Now, select the network zone created in the previous steps.
- Select the network zone and click Add.
- Click Continue.
Describe your rule
In the final step, you can add a description for the rule and choose how you want to enforce it. Once done, click Create to activate your new rule.
After you create, enforce, or disable enforcement of a rule, it might take up to 10 minutes for the change to take effect.
Verify the rule
An easy way to verify whether the rule is working as expected is to try accessing your integrated IBM Cloud Object Storage, Event Notifications or Event Streams instances through the IBM Cloud console. Since we've restricted access to these services from IBM Cloud Logs service only, you should be blocked from accessing the instance through the console.
To access your service instance from the console, you can edit the network zone created earlier and add your IP address to the allowed list.
To verify if the IBM Cloud Logs service can access the IBM Cloud Object Storage service, check whether you are able to see the IBM Cloud Object Storage instance buckets, where the rule was applied, in the list of buckets that can be attached to your IBM Cloud Logs instance.
![Verify configured buckets](/images/logs-cbr-tutorial/cbr_6.png)
Similarly, to verify whether the IBM Cloud Logs service can access the Event Notifications service, try sending a test notification from your allowed IBM Cloud Logs instance. For detailed instructions on setting up this integration, see Configuring an outbound integration to connect IBM Cloud Logs with Event Notifications.
![Sending a test notification](/images/logs-cbr-tutorial/cbr_5.png)
Similarly, to verify whether the IBM Cloud Logs service can access the Event Streams service, try sending a test stream from your allowed IBM Cloud Logs instance. For detailed instructions on setting up this integration, see Integrating IBM Cloud Logs with Event Streams
![Verify using CBR with Event Streams](/images/logs-cbr-tutorial/cbr_event_stream.png)