Manage the DevOps API IP access list

By default, the DevOps API is accessible from any public IP address. However, you can configure the DevOps API IP access list for your organization to allow only connections from trusted IP addresses. If configured, the DevOps API automatically denies any connection attempts to and from an IP that is not included in the list.

To restrict access and manage entries in the DevOps API IP access list, you must have the Write IP Access List and Read IP Access List permissions.

Manage the DevOps API access list with the DevOps API

The DevOps API Access List endpoints have the following functionality:

  • GET: Retrieve the current DevOps API access list.

  • POST: Enable IP access list restriction and create a new access list, or add a new entry to the list.

  • PUT: Replace the existing access list with a new one.

  • PATCH: Add or update a single IP address in the access list.

  • DELETE: Delete the access list and disable IP access list restriction to the DevOps API.

Prerequisites

To use the DevOps API to manage the DevOps API IP access list, you need the following:

  • Access to the Astra DB DevOps API.

  • A valid application token for authorization.

  • cURL installed to make API requests.

Retrieve the current DevOps API access list

Use GET /devops-acl to view the current DevOps API access list for your organization.

Request:

curl --location "https://api.astra.datastax.com/v2/organizations/{ORG_ID}/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN"

Add an entry or create a new DevOps API access list

Use POST /devops-acl to enable IP access list restriction and create an initial DevOps API access list. If an access list already exists, this action adds an entry to the existing list.

Request:

curl --location "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ORG_TOKEN" \
--data '[
    {
        "address": "IP_TO_ALLOW/32",
        "description": "Test IP",
        "enabled": true
    }
]'

Replace the existing DevOps access list

Use PUT /devops-acl to replace the entire existing list with a new set of IPs. This action also enables the feature, if it wasn’t previously enabled.

Request:

curl --location --request PUT "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Authorization: Bearer ORG_TOKEN" \
--header "Content-Type: application/json" \
--data '[
    {
        "address": "IP_TO_ALLOW/32",
        "description": "first IP",
        "enabled": true
    }
]'

Update a single address in a DevOps API access list

Use PATCH /devops-acl to update a single entry in the list. The address field is the unique identifier.

Request:

curl --location --request PATCH "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN" \
--data '{
        "address": "IP_TO_ALLOW/32",
        "description": "Three Time",
        "enabled": true
    }'

Delete and disable a DevOps API access list

Use DELETE /devops-acl to delete the access list and disable IP access list restriction for the DevOps API.

Deleting the DevOps API access list diminishes your security posture because the DevOps API is accessible from any public IP address without the access list.

Request:

curl --location --request DELETE "https://api.astra.datastax.com/v2/organizations/:ORG_ID/devops-acl" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ORG_TOKEN"

Manage the DevOps API access list in the Astra Portal

You can manage your organization’s DevOps API IP access list in the Astra Portal.

Adding an entry to the DevOps API access list in the Astra Portal automatically enables IP access list restriction.

To add an entry to your organization’s DevOps API access list:

  1. In the Astra Portal, go to Settings, and then click Security.

  2. In the DevOps API Access List section, click Add IP address.

  3. In the Add Access dialog, enter the IP address or CIDR-notated range of IP addresses that you want to be able to access the DevOps API for your organization.

    The Current IP Address field shows the IP address you are currently using to access the Astra Portal. You can click content_paste Copy to automatically paste this address into the IP Address or CIDR field.

    Using CIDR notation

    A CIDR range indicates a range of IP addresses. For example, the CIDR range 192.168.0.0/16 represents the first IP address of 192.168.0.0 through the last IP address of 192.168.255.255. The /16 mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits.

    Multiple tools are available online to help you convert a range of IP addresses to CIDR.

  4. Optional: Enter a description for the access list entry.

  5. Click Add Address.

To edit, disable, or delete an entry, click more_vert More Options, and then select the action that you want to take.

Deleting all entries disables IP access list restriction for the DevOps API for your organization. This diminishes your security posture because the DevOps API is accessible from any public IP address without the access list.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com