Manage database IP access lists

By default, Astra DB Serverless databases don’t restrict public access. This means databases allow connection attempts from any public IP address. However, you can use each database’s IP access list to allow only client connections from trusted IP addresses. If the IP access list is configured, then the database automatically denies any connection attempts to and from an IP that isn’t included in the list.

Prerequisites

Restrict public access to a database

When you restrict public access, your database becomes inaccessible to all internet traffic. This can disrupt any applications that depend on a connection to your database, including viewing the database from your own machine.

To prevent downtime, promptly add approved IP addresses or CIDR blocks to the access list. Until you add entries to the access list, no external public connections to your database are allowed.

Restricting public access doesn’t affect private endpoint connections. However, DataStax recommends restricting public access to ensure that your database is available only through private endpoints and allowed IPs.

To restrict public access to a database, do the following:

  1. In the Astra Portal, click the name of the database that you want to modify.

    Each database has one IP access list. For multi-region databases, this access list applies to every region for that database.

  2. Click the Settings tab.

  3. In the IP Access List section, enable Restrict public access.

  4. To confirm the change, click Restrict Public Access.

Next, add IP access list entries.

Add IP access list entries

After you Restrict public access to a database, create a list of allowed IP addresses or CIDR blocks that can access the database. Each entry can be a single IPv4 address, an address space, or a CIDR block.

What is CIDR notation?

A CIDR range indicates a range of IP addresses. For example, the CIDR range 192.168.0.0/16 represents the first IP address of 192.168.0.0 through the last IP address of 192.168.255.255. The /16 mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits. AI assistants and other widely available tools can help you convert a range of IP addresses to CIDR.

Each database has its own IP access list. When you add entries, make sure you add them to all applicable databases. For a multi-region database, all of the database’s regions share the same access list.

Add IP access list entries in the Astra Portal

In the Astra Portal, you can add individual access list entries, import multiple entries from a file, or copy entries from another database.

Importing entries from a file or another database overrides any existing access list entries.
Add one entry

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, click Add Access, and then select Add IP Address.

  4. In the IP Address or CIDR field, enter an allowed IP address or CIDR-notated range of IP addresses.

    The Add IP Address option supports allowed (enabled and accepting traffic) addresses only. To configure disallowed addresses, you must import entries from a file or use the DevOps API.

    The Current IP Address field contains the IP address that you are currently using to access the Astra Portal. You can click Copy to automatically paste this address into the IP Address or CIDR field.

  5. Optional: Enter a description for the access list entry.

  6. Click Add Address.

  7. If needed, repeat this process to add more entries.

  8. Recommended: Test the connection and restart applications.

Import entries from a file

You can import one or more IP access list entries from a JSON file:

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. Generate an IP access list template:

    1. In the IP Access List section, click Export List.

    2. Select Access List Template, and then click Export List to download the template file.

    3. Optional: Rename the template file to something meaningful, such as DATABASE_NAME-access-list.json.

  4. In a text editor, open the template file or create a new JSON file, define all IP access entries, and then save the file.

    You can use the same file for multiple databases, but you can upload only one file for each database. Subsequent uploads overwrite all previous entries for that database. If you need different lists for different databases or environments, create a separate file for each use case.

    sample-db-access-list.json
    {
  "addresses": [
    {
      "address": "192.168.0.1/32",
      "description": "This CIDR allows datacenter B to connect to database A",
      "enabled": true
    },
    {
      "address": "192.168.0.3",
      "description": "Must remain disallowed unless approved by security team",
      "enabled": false
    }
  ],
  "configurations": {
    "accessListEnabled": true
  }
}

    The JSON file must include an addresses array with at least one entry, and a configurations object with "accessListEnabled": true. If you are using the template file, don’t delete or change the configurations object.

    The addresses array can contain as many or as few entries as you need. If you are using the template file, delete or replace the sample entries. Each entry is an object containing the following fields:

    • address: A single IPv4 address, an address space, or a CIDR block.

    • enabled: Either true (allowed and accepting traffic) or false (disallowed and not accepting traffic).

    • description: Optional string describing the entry, such as its purpose, source, or owner.

  5. In the Astra Portal, in the IP Access List section, click Add Access, and then select Upload from file.

  6. Click Select File, and then select your IP access list JSON file.

    When the file finishes uploading, the Astra Portal shows a preview of the entries.

  7. Click Import List.

  8. Recommended: Test the connection and restart applications.

Copy entries from another database

You can import database IP access list entries from another database in your organization:

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, click Add Access, and then select Import from database.

  4. In the Import from database dialog, select another database in your organization to import its IP access list entries.

    After selecting a database, the Astra Portal shows a preview of the entries. Make sure the entries are correct for the current database.

  5. Click Import List.

  6. Recommended: Test the connection and restart applications.

Add IP access list entries with the DevOps API

To manage IP access list entries for Astra DB Serverless databases with the DevOps API, use the database access list endpoints:

  1. Get the database’s existing access list:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A successful response includes the IP access list entries for the specified database, if any exist:

    Result
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    To get access lists for all databases in your organization, use GET /v2/access-lists.

  2. If the database doesn’t have an access list, get an access list template:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/access-list/template" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A successful response includes an example of an access list with one entry:

    Result
    {
  "addresses": [
    {
      "address": "137.187.23.0/24",
      "enabled": true,
      "description": "This address allows the database connections from the prod environment"
    }
  ],
  "configurations": {
    "accessListEnabled": true
  }
}

  3. Add addresses to the database’s access list:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  [
    {
      "address": "137.187.23.0/24",
      "enabled": true,
      "description": "This address allows the database connections from the prod environment"
    }
  ]
}'

    Each address is an object containing the following fields:

    • address: A single IPv4 address, an address space, or a CIDR block.

    • enabled: Either true (allowed and accepting traffic) or false (disallowed and not accepting traffic).

    • description: Optional string describing the entry, such as its purpose, source, or owner.

    To verify the structure of the access list before applying it, use POST /v2/access-list/validate.

  4. Optional: Send another request to GET /v2/databases/DATABASE_ID/access-list to confirm that the entries were added.

  5. Recommended: Test the connection and restart applications.

Test the connection and restart applications

After you add or edit IP access list entries, restart any applications, including clients and drivers, that depend on a connection to your database. DataStax recommends testing IP access list changes in a development environment before applying them in production.

The database might take a few minutes to recognize new IP access list entries. Wait a few minutes before you attempt to connect to your database from the new IP address.

Edit IP access list entries

You can use the Astra Portal and the DevOps API to modify IP access list entries.

Edit entries in the Astra Portal

There are several ways to modify IP access list entries in the Astra Portal, depending on the scope of the changes you want to make:

Edit a description

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, find the entry you want to edit, click More, and then select Edit.

  4. In the Add Access dialog, edit the description, and then click Update Address to save your changes.

Enable or disable an entry

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, find the entry you want to modify, click More, and then select either Disable or Enable, depending on the entry’s current status.

  4. Recommended: Test the connection and restart applications.

Edit one address

To change an address, you must replace the relevant access list entry:

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, find the entry you want to replace, click More, select Delete, and then confirm the deletion.

  4. To add the replacement entry, click Add Access, select Add IP Address, and then enter the new address. For more information, see Add one entry in the Astra Portal.

  5. Recommended: Test the connection and restart applications.

Edit multiple entries or replace the entire list

To edit multiple entries at once, import an updated access list JSON file:

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, click Export List, select Current List, and then click Export List to download the current access list as a JSON file.

  4. Edit the downloaded JSON file to add, change, or remove entries as desired.

    Importing a file overwrites all access list entries. Make sure your JSON file includes the entire IP access list, including new entries, modified entries, and unchanged entries.

    For more information about the format and contents of this file, see import entries from a file

  5. Click Add Access, and then select Upload from file.

  6. Click Select File, select your IP access list JSON file, and then click Import List.

  7. Recommended: Test the connection and restart applications.

You can also replace a list by copying entries from another database.

Edit entries with the DevOps API

To manage IP access list entries for Astra DB Serverless databases with the DevOps API, use the database access list endpoints:

Edit description or enabled

Use this method to edit the description or enabled fields for one or more existing entries. You cannot edit the address because it is the unique identifier for each entry. If you need to modify the address, you can either replace all entries, or delete the existing entry and then add a new one.

  1. Get the database’s existing access list:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A successful response includes the IP access list entries for the specified database, if any exist:

    Result
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    To get access lists for all databases in your organization, use GET /v2/access-lists.

  2. From the response, copy the entries that you want to edit.

  3. Send a PATCH request containing the entries to update with the modified description and enabled fields:

    curl -sS -L -X PATCH "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "addresses": [
    {
      "address": "125.187.17.0/24",
      "enabled": true,
      "description": "Development"
    }
  ],
  "configurations": {
    "accessListEnabled": true
  }
}'

    The configurations object indicates the overall enforcement of the database’s IP access list. If accessListEnabled is false, the database doesn’t restrict public access, and the access list entries are ignored.

    To disable individual entries, set enabled to false for the relevant entries in the addresses array.

  4. Recommended: Test the connection and restart applications.

Edit addresses or replace entries

To edit addresses, edit multiple entries at once, or replace all access list entries, you can upsert the access list:

  1. Get the database’s existing access list:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A successful response includes the IP access list entries for the specified database, if any exist:

    Result
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    To get access lists for all databases in your organization, use GET /v2/access-lists.

  2. Send a PUT request containing the entire desired access list.

    This request overwrites all access list entries with the new list provided in the request body. Make sure your request includes the entire IP access list, including new entries, modified entries, and unchanged entries.

    		 
    curl -sS -L -X PUT "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data `{
  "addresses": [
    {
      "address": "ADDRESS_1",
      "enabled": true,
      "description": "Development"
    },
    {
      "address": "ADDRESS_2",
      "enabled": true,
      "description": "Test"
    },
    {
      "address": "ADDRESS_3",
      "enabled": true,
      "description": "Production"
    }
  ],
  "configurations": {
    "accessListEnabled": true
  }
}'

  3. Recommended: Test the connection and restart applications.

Disable or delete IP access list entries

When you disable or delete an IP access list entry, it can take a few minutes for your database to reject new traffic from that address. Existing connections can remain open for an indefinite amount of time, depending on application behavior and how the connection was established.

Delete or disable entries in the Astra Portal

  1. In the Astra Portal, click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the IP Access List section, find the entry you want to disable or delete, click More, and then select either Disable or Delete.

  4. In the confirmation dialog, click Disable or Delete.

  5. Recommended: Test the connection and restart applications.

Delete or disable entries with the DevOps API

Disable entries

To disable an access list entry, use PATCH /v2/databases/DATABASE_ID/access-list with enabled set to false for the relevant entries.

Delete specific entries

  1. Get the database’s existing access list:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    A successful response includes the IP access list entries for the specified database, if any exist:

    Result
    [
  {
    "organizationId": "303a3598-0905-4b5d-9db2-4bf2f9790973",
    "databaseId": "8fbcfe1d-56fa-4ed0-9aff-f57029feef1b",
    "addresses": [
      {
        "address": "137.187.23.0/24",
        "enabled": true,
        "description": "This address allows the database connections from the production environment.",
        "lastUpdateDateTime": "2021-01-21T17:32:28Z"
      }
    ],
    "configurations": {
      "accessListEnabled": true
    }
  }
]

    To get access lists for all databases in your organization, use GET /v2/access-lists.

  2. Send a DELETE request containing the addresses to delete.

    If you don’t specify an address, the entire access list is deleted and public access is reenabled.

    		 
    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "addresses": [
    {
      "address": "125.187.17.0/24"
    }
  ]
}'

  3. Recommended: Test the connection and restart applications.

Delete all entries

To delete the entire access list for a database, send a DELETE request with no body.

If you delete all entries, public access is reenabled.

 
curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/databases/DATABASE_ID/access-list" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM