Manage IP Filters on Confluent Cloud¶

Use IP filters to enhance the security of your Confluent Cloud resources by restricting access to trusted source IP addresses. IP filters use IP groups to streamline the organization of CIDR blocks into meaningful groups of source IP addresses that can access your Confluent Cloud resources. If an incoming IP address is associated with an allowed IP group, access is granted; otherwise, access is denied. By leveraging IP groups, IP filters can effectively enforce granular access control policies and help safeguard your Confluent Cloud resources from unauthorized access.

The sections below describe how to use the Confluent Cloud Console, Confluent CLI, and Confluent Cloud APIs to create, update, describe, list, and delete IP filters.

Additionally, see the following related content:

Create an IP filter¶

Before you can create an IP filter, you must have at least one IP group. An IP group defines a set of IP addresses that can access Confluent Cloud resources. To create an IP group, see Create an IP group.

Add an IP filter to control access to resources in your Confluent Cloud organization only from client IP addresses included within specified IP groups.

When an IP filter is assigned to an organization, it applies to every request to the organization, not only to specific groups of users.

Important

The first IP filter you create must include an IP group that covers the IP address of your client. To prevent you from locking yourself out of your Confluent Cloud resources, you are blocked from creating an IP filter if an existing IP filter does not include your client IP address.

Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP filtering page, with the IP groups view, appears.
Click IP filters . The IP filter view appears.
Click Add IP filter. The Add IP filter page appears.
In the IP filters field, enter a name for the IP filter.
In the IP groups field of the Apply IP groups section, select the IP groups that are allowed to access this resource.
In the Scope section, the scope is set to management, which is currently the only supported scope value.

The management scope includes the management of resources in your Confluent Cloud organization, but does not include operations on those resources, such as producing and consuming messages.
Click Save and enable.

The IP filter is created and the IP filters view appears, listing the IP filter name, IP filter ID, and IP groups.

Use the confluent iam ip-filter create command (Confluent CLI reference) to create an IP filter.

For example, the following command creates a IP filter named Access from US Offices that allows access to the management scope for the ipg-12345 and ipg-67890 IP groups. Note that the --resource-group parameter is optional and defaults to management (currently, the only supported value).

confluent iam ip-filter create "Access from US Offices" \
  --ip-groups "ipg-12345,ipg-67890" \
  --resource-group "management"

+----------------+--------------------------------+
| ID             | ipf-abcde                      |
| Name           | Access from US Offices         |
| IP Groups      | ipg-12345,                     |
|                | ipg-67890                      |
| Resource Group | management                     |
+----------------+--------------------------------+

To make a request to create an IP filter, use the POST /iam/v2/ip-filters API endpoint (see Create IP filter).

Note: The PATCH method requires that you include all attributes in the request body, not just the attributes that you want to update.

For example, the following request creates a IP filter named Access from US Offices that allows access to the management resource group for the IP groups ipg-12345 and ipg-67890. Note that --resource-group is optional and defaults to management (currently, the only supported value).

curl --request POST \
  --url https://api.confluent.cloud/iam/v2/ip-filters \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/json' \
  --data '{"filter_name":"Access from US Offices","resource_group":"management","ip_groups":[{"id":"ipg-12345"},{"id":"ipg-67890"}]}'

{
  "api_version": "iam/v2",
  "kind": "IpFilter",
  "id": "dlz-f3a90de",
  "metadata": {
    "self": "https://api.confluent.cloud/iam/v2/ip-filters/ipf-12345",
    "resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-filter=ipf-12345",
    "created_at": "2006-01-02T15:04:05-07:00",
    "updated_at": "2006-01-02T15:04:05-07:00",
    "deleted_at": "2006-01-02T15:04:05-07:00"
  },
  "filter_name": "Management API Rules",
  "resource_group": "management",
  "ip_groups": [
    {
      "id": "ipg-12345",
      "related": "http://example.com",
      "resource_name": "http://example.com"
    },
    {
       "id": "ipg-67890",
       "related": "http://example.com",
       "resource_name": "http://example.com"
    }
  ]
}

Update an IP filter¶

Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP filtering page, with the IP groups view, appears.
Click IP filters . The IP filter view appears.

#. In the table of IP filters, click the name of the IP filter that you want to update. The IP filter details page appears.

Click Edit IP filter. The IP filter fields appear.
Edit the values of your IP filter name, IP groups, and Scope, as needed, and click Save.

The IP filter is updated and the updated IP filters list reappears.

Use the confluent iam ip-filter update command (Confluent CLI reference) to update a IP filter. You can update the name of the IP filter, the IP groups, or the scope.

For example, the following command updates the name of the IP filter to Access from India Offices.

confluent iam ip-filter update ipf-abcef \
  --name "Access from India Offices"

+----------------+--------------------------------+
| ID             | ipf-cdefg                      |
| Name           | Access from India Offices      |
| IP Groups      | ipg-45612                      |
| Resource Group | management                     |
+----------------+--------------------------------+

To make a request to update an IP filter, use the PATCH /iam/v2/ip-filters/{id} API endpoint (see Update IP filter).

For example, the following request updates the name of the IP filter to Access from India Offices:

curl --request PATCH \
  --url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-cdefg' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH' \
  --header 'content-type: application/json' \
  --data '{"filter_name":"Access from India Offices","resource_group":"management","ip_groups":[{"id":"ipg-cdefg"},{"id":"ipg-defgh"}]}'

{
  "api_version": "iam/v2",
  "kind": "IpFilter",
  "id": "dlz-f3a90de",
  "metadata": {
    "self": "https://api.confluent.cloud/iam/v2/ip-filters/ipf-12345",
    "resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-filter=ipf-12345",
    "created_at": "2006-01-02T15:04:05-07:00",
    "updated_at": "2006-01-02T15:04:05-07:00",
    "deleted_at": "2006-01-02T15:04:05-07:00"
  },
  "filter_name": "Access from India Offices",
  "resource_group": "management",
  "ip_groups": [
    {
      "id": "ipg-cdefg",
      "related": "http://example.com",
      "resource_name": "http://example.com"
    },
    {
      "id": "ipg-defgh",
      "related": "http://example.com",
      "resource_name": "http://example.com"
    }
  ]
}

Describe an IP filter¶

Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP filtering page, with the IP groups view, appears.
Click IP filters. The IP filters view appears.
Click the name of the IP filter that you want to view. The IP filter details page appears, showing the IP filter name, IP filter ID, and IP groups.

To return to the list of IP filters, click “IP filtering” in the breadcrumb navigation at the top of the page.

Use the confluent iam ip-filter describe command (Confluent CLI reference) to describe a IP filter. For example, the following command shows the details about the ipf-efghi IP filter:

confluent iam ip-filter describe ipf-efghi

+----------------+--------------------------------+
| ID             | ipf-efghi                      |
| Name           | Access from London Office      |
| IP Groups      | ipg-12345,                     |
|                | ipg-67890                      |
| Resource Group | management                     |
+----------------+--------------------------------+

To describe a IP filter, use the GET /iam/v2/ip-filters/{id} API endpoint (see Read an IP Group).

For example, the following request describes the ipf-efghi IP filter:

curl --request GET
  --url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-efghi' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

{
  "api_version": "iam/v2",
  "kind": "IpFilter",
  "id": "dlz-f3a90de",
  "metadata": {
    "self": "https://api.confluent.cloud/iam/v2/ip-filters/ipf-efghi",
    "resource_name": "crn://confluent.cloud/organization=9bb442c4-edef-46ac-9a41-c49e44a3fd9a/ip-filter=ipf-efghi",
    "created_at": "2006-01-02T15:04:05-07:00",
    "updated_at": "2006-01-02T15:04:05-07:00",
    "deleted_at": "2006-01-02T15:04:05-07:00"
  },
  "filter_name": "Access from London Office",
  "resource_group": "management",
  "ip_groups": [
    {
      "id": "ipf-efghi",
      "related": "http://example.com",
      "resource_name": "http://example.com"
    }
  ]
}

List IP filters¶

Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP filtering page, with the IP groups view, appears.
Click IP filters. The IP filters view appears.

You can click an IP filter name to view the details.

Use the confluent iam ip-filter list command (Confluent CLI reference) to list the IP filters in your organization.

For example, the following command lists the IP filters.

confluent iam ip-filter list

     ID     |      Name                   |         CIDR Blocks
------------+-----------------------------+-----------------------------------
  ipg-34mq3 | Access from London Offices  | 168.150.200.0/24, 147.150.200.0/24
  ipg-12345 | Access from SF Office       | 1.1.1.1/32

To retrieve a list the IP filters, use the GET /iam/v2/ip-filters/ API endpoint (see List of IP Filters).

For example, the following request lists the IP filters:

curl --request GET --url https://api.confluent.cloud/iam/v2/ip-filters \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

{
  "api_version": "iam/v2",
  "kind": "IpFilterList",
  "metadata": {
    "first": "https://api.confluent.cloud/iam/v2/ip-filters",
    "last": "https://api.confluent.cloud/iam/v2/ip-filters?page_token=bcAOehAY8F16YD84Z1wT",
    "prev": "https://api.confluent.cloud/iam/v2/ip-filters?page_token=YIXRY97wWYmwzrax4dld",
    "next": "https://api.confluent.cloud/iam/v2/ip-filters?page_token=UvmDWOB1iwfAIBPj6EYb",
    "total_size": 123
  },
  "data": [
    {
      "api_version": "iam/v2",
      "kind": "IpFilter",
      "id": "dlz-f3a90de",
      "metadata": {
        "self": "https://api.confluent.cloud/iam/v2/ip-filters/ipf-12345",
        "resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-filter=ipf-12345",
        "created_at": "2006-01-02T15:04:05-07:00",
        "updated_at": "2006-01-02T15:04:05-07:00",
        "deleted_at": "2006-01-02T15:04:05-07:00"
      },
      "filter_name": "Access from SF Office",
      "resource_group": "management",
      "ip_groups": [
        {
          "id": "ipf-12345",
          "related": "http://example.com",
          "resource_name": "http://example.com"
        }
      ]
    }
  ]
}

Delete a IP filter¶

IP filters can be deleted to remove access to Confluent Cloud resources. You can also update an IP filter to remove an IP group from access.

Important

Deleting a IP filter removes the IP filter from your organization. If you delete a IP filter that is assigned to a network, the IP addresses in that network can no longer access to the resources that the IP filter controls.

If all IP filters are removed, authorized users from any source IP address can access resources in your organization.

Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP filtering page, with the IP group view, appears.
Click IP filter. The IP filter view appears.
Click the IP filter name for the IP filter you want to delete. The IP filter details page appears.
Click Delete IP filter. The Delete IP filter dialog appears.
After confirming that you want to delete the specified IP filter, enter the IP filter name in the IP filter name field and click Confirm.

The IP filter is deleted and the Accounts & access page appears listing the remaining IP filters.

Use the confluent iam ip-filter delete command (Confluent CLI reference) to delete a IP filter. For example, the following command deletes the my-ip-filter IP filter:

confluent iam ip-filter delete ipf-9876

Successfully deleted IP filter ipf-9876.

To make a request to delete an IP filter, use the DELETE /iam/v2/ip-filters/{id} API endpoint (see Delete an IP Filter).

For example, the following request deletes the ipf-9876 IP filter:

curl --request DELETE
  --url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-9876' \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'