Managing database access list
You can use the DevOps API to manage your database IP access lists.
To manage database IP access lists, you need the Organization Administrator or Database Administrator role.
Prerequisites
-
Create an application token.
-
Restrict public access for each database that will use an IP access list.
Get IP access lists
Get the existing access lists for your databases.
-
Get all access lists
-
Get one access list
Get the IP access lists for all databases in your organization. For more information, see the API reference.
curl --request GET \
--url 'https://api.astra.datastax.com/v2/access-lists' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <application_token>'Get the IP access list for one database. For more information, see the API reference.
curl --request GET \
--url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <application_token>'Response
A successful response includes the IP access list entries for one database or all databases in your organization, depending on the request:
[
{
"organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
"databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
"addresses": [
{
"address": "137.187.23.0/24",
"enabled": true,
"description": "This address allows the database connections from the production environment.",
"lastUpdateDateTime": "2021-01-21T17:32:28Z"
}
],
"configurations": {
"accessListEnabled": true
}
}
]Add access list entries
Each database has its own IP access list. When you add entries, make sure you add them to all applicable databases.
For multi-region databases, all regions share the same access list.
-
If you have no access list entries, you can get an access list template:
curl --request GET \ --url 'https://api.astra.datastax.com/v2/access-list/template' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>'
Response
[
{
"organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
"databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
"addresses": [
{
"address": "137.187.23.0/24",
"enabled": true,
"description": "This address allows the database connections from the production environment.",
"lastUpdateDateTime": "2021-01-21T17:32:28Z"
}
],
"configurations": {
"accessListEnabled": true
}
}
]-
Send a POST request to the
access-listendpoint with your new access list entries in the request body. For more information, see the API reference.curl --request POST \ --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ [ "address": "125.187.17.0/24", "enabled": true, "description": "Development" ] }' -
Optional: To verify that the entries were added, use the Get IP access lists endpoints.
-
After adding IP access list entries, restart any applications, including clients and drivers, that depend on a connection to your database. DataStax recommends testing IP access list changes in a development environment prior to applying them in production.
It can take a few minutes for a database to honor new IP access list entries. Wait a few minutes before attempting to connect to your database from the new IP address.
Replace or edit an existing access list
-
Use the Get IP access lists endpoints to get the existing entries for the IP access list that you want to replace.
-
To replace the entire list, send a PUT request containing the new access list entries:
curl --request PUT \ --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "addresses": [ { "address": "125.187.17.0/24", "enabled": true, "description": "Development" "lastUpdateDateTime": "2021-01-21T17:32:28Z" } ], "configurations": { "accessListEnabled": true } }' -
To update an entry, send a PATCH request containing the entries to update. The
addressis the unique identifier for each entry.curl --request PATCH \ --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "addresses": [ { "address": "125.187.17.0/24", "enabled": true, "description": "Development" } ], "configurations": { "accessListEnabled": true } }' -
Optional: To verify the changes, use the Get IP access lists endpoints.
-
After modifying IP access list entries, restart any applications, including clients and drivers, that depend on a connection to your database. DataStax recommends testing IP access list changes in a development environment prior to applying them in production.
It can take a few minutes for a database to honor new IP access list entries. Wait a few minutes before attempting to connect to your database from the new IP address.
Delete entries or lists
-
Use the Get IP access lists endpoints to get the existing entries for the IP access list that you want to edit or delete.
-
To delete specific addresses, send a DELETE request that includes the specific addresses to delete.
If you don’t specify an address to delete, the entire access list is deleted. If you delete the entire list, public access is no longer restricted.
curl --request DELETE \ --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "addresses": [ { "address": "125.187.17.0/24" } ] }' -
To delete a database’s entire access list, send a DELETE request with no body.
If you delete the entire list, public access is no longer restricted.
curl --request DELETE \ --url 'https://api.astra.datastax.com/v2/databases/<databaseId>/access-list' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' -
Optional: To verify the deletions, use the Get IP access lists endpoints.
