Manage the DevOps API IP access list

By default, the DevOps API is accessible from any public IP address. However, you can configure the DevOps API IP access list for your organization to allow only connections from trusted IP addresses. If configured, the DevOps API automatically denies any connection attempts to and from an IP that is not included in the list.

Prerequisites

Manage the DevOps API access list with the DevOps API

Use the DevOps API DevOps access list endpoints to get, add, edit, and delete DevOps API access list entries for an Astra DB organization.

Get the current DevOps API access list

Use GET /devops-acl to view the current DevOps API access list for your organization:

curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

Add an entry or create a new DevOps API access list

Use POST /devops-acl to enable IP access list restriction and create an initial DevOps API access list. If an access list already exists, this request adds an entry to the existing list.

curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "address": "IP_TO_ALLOW/32",
    "description": "Test IP",
    "enabled": true
  }
]'

Replace the existing DevOps access list

Use PUT /devops-acl to replace the entire existing list with a new set of IPs. If the organization doesn’t have a DevOps API access list, this request creates a list and enables DevOps API IP access list restriction.

curl -sS --location -X PUT "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "address": "IP_TO_ALLOW/32",
    "description": "first IP",
    "enabled": true
  }
]'

Update a single address in a DevOps API access list

Use PATCH /devops-acl to update a single entry in the list. The address field is the unique identifier.

curl -sS --location -X PATCH "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "address": "IP_TO_ALLOW/32",
  "description": "Three Time",
  "enabled": true
}'

Delete and disable a DevOps API access list

Use DELETE /devops-acl to delete the access list and disable IP access list restriction for the DevOps API.

Deleting the DevOps API access list diminishes your security posture because the DevOps API is accessible from any public IP address without the access list.

 
curl -sS --location -X DELETE "https://api.astra.datastax.com/v2/organizations/ORG_ID/devops-acl" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

Manage the DevOps API access list in the Astra Portal

You can manage your organization’s DevOps API IP access list in the Astra Portal.

Adding an entry to the DevOps API access list in the Astra Portal automatically enables IP access list restriction.

To add an entry to your organization’s DevOps API access list:

  1. In the Astra Portal, go to Settings, and then click Security.

  2. In the DevOps API Access List section, click Add IP address.

  3. In the Add Access dialog, enter the IP address or CIDR-notated range of IP addresses that you want to be able to access the DevOps API for your organization.

    The Current IP Address field shows the IP address you are currently using to access the Astra Portal. You can click content_paste Copy to automatically paste this address into the IP Address or CIDR field.

    Using CIDR notation

    A CIDR range indicates a range of IP addresses. For example, the CIDR range 192.168.0.0/16 represents the first IP address of 192.168.0.0 through the last IP address of 192.168.255.255. The /16 mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits.

    Multiple tools are available online to help you convert a range of IP addresses to CIDR.

  4. Optional: Enter a description for the access list entry.

  5. Click Add Address.

To edit, disable, or delete an entry, click more_vert More Options, and then select the action that you want to take.

Deleting all entries disables IP access list restriction for the DevOps API for your organization. This diminishes your security posture because the DevOps API is accessible from any public IP address without the access list.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com