Manage the DevOps API IP access list
By default, the DevOps API is accessible from any public IP address. However, you can configure the DevOps API IP access list for your organization to allow only connections from trusted IP addresses. If configured, the DevOps API automatically denies any connection attempts to and from an IP that is not included in the list.
Prerequisites
-
An active Astra account
-
An application token or user role with permission to manage the DevOps API access list, such as the Organization Administrator role or the Write IP Access List and Read IP Access List permissions
Manage the DevOps API access list with the DevOps API
Use the DevOps API DevOps access list endpoints to get, add, edit, and delete DevOps API access list entries for an Astra DB organization.
Get the current DevOps API access list
Use GET /devops-acl
to view the current DevOps API access list for your organization:
curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
Add an entry or create a new DevOps API access list
Use POST /devops-acl
to enable IP access list restriction and create an initial DevOps API access list.
If an access list already exists, this request adds an entry to the existing list.
curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '[
{
"address": "IP_TO_ALLOW/32",
"description": "Test IP",
"enabled": true
}
]'
Replace the existing DevOps access list
Use PUT /devops-acl
to replace the entire existing list with a new set of IPs.
If the organization doesn’t have a DevOps API access list, this request creates a list and enables DevOps API IP access list restriction.
curl -sS --location -X PUT "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '[
{
"address": "IP_TO_ALLOW/32",
"description": "first IP",
"enabled": true
}
]'
Update a single address in a DevOps API access list
Use PATCH /devops-acl
to update a single entry in the list.
The address
field is the unique identifier.
curl -sS --location -X PATCH "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
"address": "IP_TO_ALLOW/32",
"description": "Three Time",
"enabled": true
}'
Delete and disable a DevOps API access list
Use DELETE /devops-acl
to delete the access list and disable IP access list restriction for the DevOps API.
Deleting the DevOps API access list diminishes your security posture because the DevOps API is accessible from any public IP address without the access list. |
curl -sS --location -X DELETE "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
Manage the DevOps API access list in the Astra Portal
The ability to configure the DevOps API access list in the Astra Portal is currently in public preview. Development is ongoing, and the features and functionality are subject to change. Astra DB Classic, and the use of such, is subject to the DataStax Preview Terms. To enable this feature in your organization, contact DataStax Support. The DevOps API access list endpoints are generally available for programmatic configuration. Only the GUI component is in preview. |
You can manage your organization’s DevOps API IP access list in the Astra Portal.
Adding an entry to the DevOps API access list in the Astra Portal automatically enables IP access list restriction.
To add an entry to your organization’s DevOps API access list:
-
In the Astra Portal navigation menu, click Settings, and then click Security.
-
In the DevOps API Access List section, click Add IP address.
-
In the Add Access dialog, enter the IP address or CIDR-notated range of IP addresses that you want to be able to access the DevOps API for your organization.
The Current IP Address field shows the IP address you are currently using to access the Astra Portal. You can click
Copy to automatically paste this address into the IP Address or CIDR field.Using CIDR notation
A CIDR range indicates a range of IP addresses. For example, the CIDR range
192.168.0.0/16
represents the first IP address of192.168.0.0
through the last IP address of192.168.255.255
. The/16
mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits.Multiple tools are available online to help you convert a range of IP addresses to CIDR.
-
Optional: Enter a description for the access list entry.
-
Click Add Address.
To edit, disable, or delete an entry, click
More Options, and then select the action that you want to take.
Deleting all entries disables IP access list restriction for the DevOps API for your organization. This diminishes your security posture because the DevOps API is accessible from any public IP address without the access list. |