• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB Architecture FAQ
      • CQL for Astra
      • Astra DB glossary
      • Get support
    • Getting Started
      • Vector Search Quickstart
      • Create your database
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
    • Vector Search
      • Quickstart
      • Examples
      • Query vector data with CQL
        • Using analyzers
      • Working with embeddings
      • Indexing
      • About Vector Search
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
        • Cassandra Data Migrator
        • DSBulk Migrator
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Delete an account
        • Bring Your Own Key
          • BYOK AWS Astra Portal
          • BYOK GCP Astra Portal
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • API QuickStarts
      • JSON API QuickStart
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL CQL-first API QuickStart
    • Developing with APIs
      • Developing with JSON API
      • Developing with Document API
      • Developing with REST API
      • Developing with GraphQL API
        • Developing with GraphQL API (CQL-first)
        • Developing with GraphQL API (Schema-first)
      • Developing with gRPC API
        • gRPC Rust Client
        • gRPC Go Client
        • gRPC Node.js Client
        • gRPC Java Client
      • Developing with CQL API
      • Tooling Resources
      • Node.js Document Collection Client
      • Node.js REST Client
    • API References
      • Astra DB JSON API v1
      • Astra DB REST API v2
      • Astra DB Document API v2
      • Astra DB DevOps API v2
    • Integrations
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing your database
  • Manage access lists

Manage access list for public endpoints

Use access lists to limit what public endpoints are able to access your database. You can choose to restrict access in one of two ways:

  • Restrict access to specific IP addresses

  • Restrict access to a range of IP addresses using Classless Inter-Domain Routing (CIDR)

When Access List is configured and active, access to these endpoints is restricted:

  • CQL, GraphQL, and REST

  • GraphQL Playground

  • Swagger

  • CQLsh

You can also manage your access list using the DevOps API.

If you are using the access list and restricting public access, these restrictions exclude the Astra internal site reliability controls.

Only Organization and Database Administrators for the database have permissions to manage the access list.

Restrict public access

By default, public access to your database is not restricted. Access to your database is possible via public internet.

  1. In your database Settings, select the toggle to restrict public access.

  2. Confirm your selection to Restrict Public Access.

As soon as you enable the 'Restrict Public Access' setting, your database is inaccessible to all internet traffic, which can disrupt any applications depending on it. To prevent downtime, promptly add the approved IP addresses or CIDR blocks to the access list. Until you add to your access list, no external connections to your database are allowed, although Private Endpoint connections remain unaffected.

Add IP address or CIDR to access list

  1. Ensure public access is restricted.

  2. Select Add Access.

  3. Select Add new endpoint.

  4. Select IP Address or CIDR from the Type menu.

    A CIDR indicates a range of IP addresses. For example, the CIDR range '192.168.0.0/16' represents the first IP address of '192.168.0.0' through the last IP address of '192.168.255.255'. The '/16' mask indicates that the first 16 bits of the IP address are static. The addresses in the CIDR range are represented by all the permutations of the last 16 bits.

  5. Enter the IP address or CIDR into the Address field.

    If you want to add you current IP address, copy it from the display and paste it into the Address field.

    All IP address must be entered in the IPv4 format, which is four decimal numbers, each ranging from 0 to 255. For example, 179.46.234.11.

  6. Optional: Add a description for the address you are adding. For example, office or home.

  7. Select Add to add the address to the access list.

It takes approximately five minutes for each address to sync and have access.

Upload list of endpoints

  1. Ensure public access is restricted.

  2. Select Add Access.

  3. Select Upload from file.

    [
  {
    "address": "10.0.0.1",
    "description": "Reader"
  },
  {
    "address": "10.0.0.1/32",
    "description": "Librarians"
  }
]

  4. Use the Select File button to find the JSON file with your access list to upload.

    You will see the list of addresses to be added to the access list.

  5. Select Import to add the addresses to your access list.

Import endpoints from database

You can import an access list from another Astra database. If you do not have another active Astra database, this option will not be available.

  1. Ensure public access is restricted.

  2. Select Add Access.

  3. Select Import from database.

  4. Select the active Astra database from which you want to import the addresses.

    You will see the list of addresses to be added to the access list.

  5. Select Import to add the addresses to your access list.

Enable or disable an endpoint

  1. Select the overflow menu for the address you want to enable or disable.

  2. Select Enable or Disable.

    The overflow menu will show the Disable option only when the address is enabled and the Enable option only when the address is disabled.

  3. Confirm your selection to Enable or Disable the endpoint.

Your access list remains active, even if all endpoints are disabled. If you want to allow public access, you must select the toggle to stop restricting public access.

Delete an endpoint

If you remove all of the addresses on your access list, your database will be accessible from the public internet, even if Restrict public access is selected.

  1. Select the overflow menu for the address you want to remove.

  2. Select Delete.

  3. Confirm your selection to Delete the endpoint.

It takes approximately five minutes for each address to sync and be removed from the access list.

Allow public access

If you stop restricting public access, access to your database is possible via public internet.

  1. Select the toggle to stop restricting public access.

  2. Confirm your selection to Enable public access.

Export metrics via DevOps API Manage multiple keyspaces

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage