Manage the DevOps API IP access list
By default, the DevOps API is accessible from any public IP address. However, you can configure the DevOps API IP access list for your organization to allow only connections from trusted IP addresses. If configured, the DevOps API automatically denies any connection attempts to and from an IP that is not included in the list.
To restrict access and manage entries in the DevOps API IP access list, you must have the Write IP Access List and Read IP Access List permissions.
Manage the DevOps API access list with the DevOps API
The DevOps API Access List endpoints have the following functionality:
-
GET: Retrieve the current DevOps API access list.
-
POST: Enable IP access list restriction and create a new access list, or add a new entry to the list.
-
PUT: Replace the existing access list with a new one.
-
PATCH: Add or update a single IP address in the access list.
-
DELETE: Delete the access list and disable IP access list restriction to the DevOps API.
Prerequisites
To use the DevOps API to manage the DevOps API IP access list, you need the following:
-
Access to the Astra DB DevOps API.
-
A valid application token for authorization.
-
cURL installed to make API requests.
Retrieve the current DevOps API access list
Use GET /devops-acl
to view the current DevOps API access list for your organization.
Request:
curl --location "https://api.astra.datastax.com/v2/organizations/{ORG_ID}/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN"
Add an entry or create a new DevOps API access list
Use POST /devops-acl
to enable IP access list restriction and create an initial DevOps API access list. If an access list already exists, this action adds an entry to the existing list.
Request:
curl --location "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ORG_TOKEN" \
--data '[
{
"address": "IP_TO_ALLOW/32",
"description": "Test IP",
"enabled": true
}
]'
Replace the existing DevOps Access List
Use PUT /devops-acl
to replace the entire existing list with a new set of IPs. This action also enables the feature, if it wasn’t previously enabled.
Request:
curl --location --request PUT "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Authorization: Bearer ORG_TOKEN" \
--header "Content-Type: application/json" \
--data '[
{
"address": "IP_TO_ALLOW/32",
"description": "first IP",
"enabled": true
}
]'
Update a single address in a DevOps API access list
Use PATCH /devops-acl
to update a single entry in the list. The address
field is the unique identifier.
Request:
curl --location --request PATCH "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN" \
--data '{
"address": "IP_TO_ALLOW/32",
"description": "Three Time",
"enabled": true
}'
Delete and disable a DevOps API access list
Use DELETE /devops-acl
to delete the access list and disable IP access list restriction for the DevOps API.
Deleting the DevOps API access list diminishes your security posture because the DevOps API is accessible from any public IP address without the access list. |
Request:
curl --location --request DELETE "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN"
Manage the DevOps API access list in the Astra Portal
You can manage your organization’s DevOps API IP access list in the Astra Portal.
Adding an entry to the DevOps API access list in the Astra Portal automatically enables IP access list restriction.
To add an entry to your organization’s DevOps API access list:
-
In the Astra Portal, click Settings.
-
Click the Security tab.
-
In the DevOps API Access List section, click Add IP address.
-
In the Add Access dialog, enter the IP address or CIDR-notated range of IP addresses that you want to be able to access the DevOps API for your organization.
The Current IP Address field shows the IP address you are currently using to access the Astra Portal. You can click
Copy to automatically paste this address into the IP Address or CIDR field.Using CIDR notation
A CIDR range indicates a range of IP addresses. For example, the CIDR range
192.168.0.0/16
represents the first IP address of192.168.0.0
through the last IP address of192.168.255.255
. The/16
mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits.Multiple tools are available online to help you convert a range of IP addresses to CIDR.
-
Optional: Enter a description for the access list entry.
-
Click Add Address.
To edit, disable, or delete an entry, click
More Options, and then select the action that you want to take.
Deleting all entries disables IP access list restriction for the DevOps API for your organization. This diminishes your security posture because the DevOps API is accessible from any public IP address without the access list. |