Manage IP Filters on Confluent Cloud¶
Use IP filters to enhance the security of your Confluent Cloud resources by restricting access to trusted source IP addresses. IP filters use IP groups to streamline the organization of CIDR blocks into meaningful groups of source IP addresses that can access your Confluent Cloud resources. If an incoming IP address is associated with an allowed IP group, access is granted; otherwise, access is denied. By leveraging IP groups, IP filters can effectively enforce access control policies and help safeguard your Confluent Cloud resources from unauthorized access.
IP filters only impact requests from outside of Confluent Cloud and outside of your Confluent Cloud organization. IP filters do not impact requests from within your Confluent Cloud organization.
Resource scopes¶
Resource scopes allow you to apply different IP filtering rules at different levels within your Confluent Cloud organization. You can create IP filters that apply either to:
- The entire organization (organization scope)
- Specific environments (environment scope)
When IP filters exist at both organization and environment scope:
- Environment-level filters can only add additional restrictions, not remove organization-level restrictions.
- A request must satisfy both organization and environment-level filters to be allowed.
- Organization-level filters act as a baseline policy for all environments unless further restricted.
For example, if an organization has IP filters that allow access only from the production datacenters, an environment-level filter cannot override this to allow access from development networks. However, the environment-level filter could further restrict access to only a specific production datacenter.
Note
When viewing IP filters for an environment, both environment-specific filters and organization-wide filters that affect that environment will be shown to provide a complete picture of access controls.
You can specify the resource scope during the creation of an IP filter through any of these interfaces:
- Confluent Cloud Console: When you create an IP filter from the Accounts & access page, the IP filter is scoped to the entire organization. If you create the IP filter from the Environment > Network Management > For public networks page, the IP filter is scoped to that environment.
- Confluent CLI: Use the
--environmentflag to specify the environment for the IP filter. If you do not specify the--environmentflag, the IP filter applies to the entire organization. - Confluent Cloud APIs: Use the
resource_scopefield to specify the resource scope. If you do not specify this parameter, the IP filter applies to the entire organization.
The Confluent Resource Name (CRN) identifies the scope of an IP filter, which can be your entire organization or a specific environment.
An organization-scoped IP filter might have a
resource_scopevalue of:crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9aAn environment-scoped IP filter might have a
resource_scopevalue of:crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/environment=env-abc123
When you create an IP filter, you can specify a resource_scope value to
control the scope of the IP filter. The following rules apply:
- When
resource_scopeis empty (default), the IP filter applies to your entire organization. - Environment-level filters can only add additional restrictions, not remove organization-level restrictions. A request must satisfy both organization and environment-level filters to be allowed.
- IP filters at the organization level act as the baseline policy for all environments.
- Multiple IP filters at the same scope level (organization or environment) are additive, meaning they expand the set of allowed IP addresses. For example, if one filter allows access from IP group A and another filter at the same scope allows access from IP group B, requests from either IP group A or B are permitted.
- When a resource scope is specified, it is immutable and cannot be changed after the IP filter is created.
Operation groups¶
Operation groups are used to specify the operations that the IP filter applies to. Each operation group is a collection of operations that can be controlled collectively by an IP filter. For each IP filter, you must select one or more operation groups to control which operations the IP filter applies to.
You can specify operation groups when creating an IP filter through any of these interfaces:
- Confluent Cloud Console: Select operation groups in the Operation groups section when adding a new IP filter.
- Confluent CLI: Use the
--operationsflag to specify operation groups when creating an IP filter. - Confluent Cloud APIs: Include operation groups using the
operation_groupsfield in your API request. To be able to specify operation groups, you must include theresource_groupfield in your API request, with a value ofmultiple. This indicates that operation groups are defined using theoperation_groupsfield.
Operation group names and identifiers¶
The following tables list the names and identifiers for the operation groups that are currently available and reserved for future use.
| Category | Operation group | Identifier |
|---|---|---|
| Management | Resource management | management |
| Management | Schema management | schema |
| Data | Flink | flink |
| Category | Operation group | Identifier |
|---|---|---|
| Management | Catalog management | catalog |
| Management | Kafka Management | kafka_management |
| Monitoring | Logging | logs |
| Monitoring | Metrics | metrics |
| Data | Kafka produce and consume | kafka_data |
| Data | ksqlDB | ksql |
Operation group API operations¶
The following sections list the API operations for each operation group.
Resource management¶
The Resource management operation group covers all management operations
requested from the resource management APIs available through api.confluent.cloud.
For a list of supported APIs, click the following link to expand and display the list,
or click the link again to collapse the list.
Resource management APIs (api.confluent.cloud) - Supported by IP Filtering
- ORG API (V2)
- Organizations (org/v2)
- Environments (org/v2)
- IDENTITY ACCESS MANAGEMENT (v2)
- API Key (iam/v2)
- Users (iam/v2)
- Service Accounts (iam/v2)
- Invitations (iam/v2)
- IP Groups (iam/v2)
- IP Filters (iam/v2)
- Role Bindings (iam/v2)
- Identity Providers (iam/v2)
- Jwks (iam/v2)
- Identity Pools (iam/v2)
- Group Mappings (iam/v2/sso)
- BRING YOUR OWN KEY (BYOK) MANAGEMENT (V1)
- Keys (byok/v1)
- CLUSTER MGMT FOR KAFKA (V2)
- Clusters (cmk/v2)
- CLUSTER MGMT FOR SCHEMA REGISTRY (V2)
- Regions (srcm/v2)
- Clusters (srcm/v2)
- COMPUTE POOL MGMT FOR FLINK (V2)
- Compute Pools (fcpm/v2)
- Regions (fcpm/v2)
- CLUSTER MGMT FOR KSQLDB (V2)
- Clusters (ksqldbcm/v2)
- CONNECT API (V1)
- Connectors (connect/v1)
- Lifecycle (connect/v1)
- Status (connect/v1)
- Managed Connector Plugins (connect/v1)
- Presigned Urls (connect/v1)
- STREAM SHARING API (V1)
- Provider Shared Resources (cdx/v1)
- Provider Shares (cdx/v1)
- Consumer Shared Resources (cdx/v1)
- Consumer Shares (cdx/v1)
- Shared Tokens (cdx/v1)
- Opt Ins (cdx/v1)
- NETWORKING (V1)
- Networks (networking/v1)
- Peerings (network/v1)
- Transit Gateway Attachments (networking/v1)
- Private Link Accesses (networking/v1)
- Network Link Services (networking/v1)
- Network Link Endpoints (networking/v1)
- Network Link Service Associations (networking/v1)
- IP Addresses (networking/v1)
- Private Link Attachments (networking/v1)
- Private Link Attachment Connections (networking/v1)
- NOTIFICATIONS API (V1)
- Subscriptions (notifications/v1)
- Integrations (notifications/v1)
- Notification Types (notifications/v1)
- SECURITY TOKEN SERVICE (V1)
- OAuth Tokens (sts/v1)
- SERVICE QUOTA API (V1)
- Applied Quotas (service-quota/v1)
- Scopes (service-quota/v1)
- KAFKA QUOTA (V1)
- Client Quotas (kafka-quotas/v1)
- BILLING API (V1)
- Costs (billing/v1)
- PARTNER API (V2)
- Entitlements (partner/v2)
- Organizations (partner/v2)
- Signup (partner/v2)
Schema management¶
The Schema management operation group covers all operations related to schema management.
The following SCHEMA REGISTRY API (v1) operations are supported:
- Compatibility (v1)
- Config (v1)
- Contexts (v1)
- Exporters (v1)
- Modes (v1)
- Schemas (v1)
- Subjects (v1)
Flink¶
The Flink operation group covers all operations related to Apache Flink data used in Confluent Cloud for Apache Flink.
- IP filters only restrict public access, not private networking access.
- IP Filters only apply to Flink resources (statements and workspaces), but access to Kafka is governed by the type of clusters.
The following Flink REST API and Confluent Cloud Console operations are supported:
- Statements (sql/v1)
- Workspaces access using the Confluent Cloud Console. Note that to run a Flink statement on a Kafka cluster with private networking, or to retrieve Statement Results or statement exceptions for these clusters, you must use a private endpoint. For details, see Enable Private Networking with Confluent Cloud for Apache Flink.
Use the predefined No Public Networks group¶
You can use the predefined No Public Networks group to create an IP filter that prevents access from public networks and allows access only from private network connections. You can select this option in the following interfaces:
- Confluent Cloud Console: Select the No Public Networks group in the drop-down list in the IP groups field of the Apply IP groups section.
- Confluent CLI: Use the
--no-public-networksflag (without the--ip-groupsflag) to specify the No Public Networks group. When you add this flag, the IP group ID is automatically set toipg-none. - Confluent Cloud APIs: Include the No Public Networks group in the
ip_groupsfield of the request body by setting theidtoipg-none.
When you create an IP filter with the No Public Networks group, the following constraints apply:
- For each operation group, an IP filter allowing “No Public Networks” cannot be combined with any other IP filters.
- The No Public Networks group cannot be combined with other IP groups when defining an IP filter.
- The No Public Networks group cannot be applied to operation groups without private networking support (currently “management”), as it would block all access..
When you attempt to use the No Public Networks group in an IP filter, creating or updating the IP filter will fail if you:
- Include other IP groups in the same IP filter as the No Public Networks group.
- Have existing IP filters with overlapping operation groups that reference IP groups other than the No Public Networks group.
Create an IP filter¶
Before you can define an IP filter that allows specific access, you must define at least one IP group. An IP group defines a set of IP addresses that can access Confluent Cloud resources. To create an IP group, see Create an IP group.
You can add an IP filter to control access either organization-wide or to a specific environment in your Confluent Cloud organization. In the CLI and API, IP filters are applied organization-wide. If you assign an environment resource scope to an IP filter, it adds restrictions specific to that environment while still enforcing any organization-level filters. For details, see Resource scopes.
You must also specify the operation groups that your IP filter applies to. Operation groups are collections of operations or API calls that can be controlled collectively by an IP filter. For details, see Operation groups.
Access is granted only to client IP addresses included within specified IP groups. The operation groups and resource scope determine which operations the IP filter affects. Using the combination of IP groups, operation groups, and resource scope, you can use IP filters to restrict access to your Confluent Cloud resources.
Important
The first IP filter you create that includes the operation group “management” must include an IP group that covers the IP address of your client. You are prevented from creating an IP filter that would block access your own access to managing IP filters. For more details and a tip on how to specify a CIDR block for your current IP address, see Specify CIDR blocks for IP groups.
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click IP filters . The IP filter view appears.
Click Add IP filter. The Add IP filter page appears.
In the IP filters field, enter a name for the IP filter.
In the IP groups field of the Apply IP groups section, select the IP groups that are allowed to access this resource. You must include at least one IP group.
In the drop-down list, you can select from the IP groups that you have already created or the predefined No Public Networks group.
The predefined No Public Networks group excludes all public IP addresses, allowing access only from private network connections.
- To allow no public network access, use this group with only one IP filter per operation group.
- You cannot use the No Public Networks group with any other IP groups.
In the Operation groups section, select the operation groups that are allowed to access this resource. Under the Management operation group, select from the currently available operation groups that are allowed to access this resource.
The operation groups listed include:
- Management
- Resource management - Includes the management of resources in your Confluent Cloud organization, but does not include operations on those resources, such as producing and consuming messages.
- Schema management
- Monitoring
- Logs (Not configurable)
- Metrics (Not configurable)
- Data
- Flink
- Kafka (Not configurable)
- ksqlDB (Not configurable)
- Management
Click Save and enable.
The IP filter is created and the IP filters view appears, listing the IP filter name, operation groups, IP filter ID, and IP groups.
To prevent you from blocking access to your Confluent Cloud resources, you cannot create an IP filter covering the resource management operation group if an existing IP filter does not include your client IP address. If you try to create an IP filter that does not include your client IP address, an error message appears stating “This IP filter would block access from your current IP address (<your-ip-address>) and is not allowed.”
Use the confluent iam ip-filter create command
(Confluent CLI reference)
to create an IP filter.
For example, the following command creates an IP filter named
Corporate Office Access that allows access to the management
operation group for the ipg-73zpe and ipg-31j53 IP groups. Note
that the --operations flag is optional and defaults to the management
operation group.
To prevent access from public networks, use the --no-public-networks
flag (without the --ip-groups flag). The following example shows how to
create an IP filter that prevents access from public networks, but allows
access to the schema operation group:
confluent iam ip-filter create "No Public Access" \
--no-public-networks \
--operations schema
The following example shows the response to the request:
+------------------+-------------------------------------------------------------------------+
| ID | ipf-wjqxe |
| Name | No Public Access |
| Resource Group | multiple |
| IP Groups | ipg-none |
| Operation Groups | SCHEMA |
| Resource Scope | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01 |
+------------------+-------------------------------------------------------------------------+
Note the following:
* The ``Resource Group`` field is deprecated, but is still displayed for
backward compatibility.
* The ``Resource Scope`` field shows that this IP filter applies to the
entire organization.
* The ``IP Groups`` field shows "ipg-none", which is the predefined IP
group that prevents access from public networks.
* The ``Operation Groups`` field shows "SCHEMA" because the IP filter
applies to the ``schema`` operation group. When you use the
``--no-public-networks`` flag, you cannot specify "management" as an
operation group because it would block access to your own access to
your |ccloud| organization.
To allow access to the management operation group for the ipg-73zpe
and ipg-31j53 IP groups, use the following command:
confluent iam ip-filter create "US Offices" \
--ip-groups "ipg-12345,ipg-67890" \
--operations management
The following example shows the response to the request:
+----------------+-------------------------------------------------------------------------+
| ID | ipf-abcde |
| Name | US Offices |
| Resource Group | multiple |
| IP Groups | ipg-12345,ipg-67890 |
| Operations | MANAGEMENT |
| Resource Scope | crn://confluent.cloud/organization=c9bc3445-1865-4e27-9fe5-c23a58e96a10 |
+----------------+-------------------------------------------------------------------------+
Note the following:
- The
Resource Groupfield shows “multiple” because the IP filter applies to multiple operation groups. This field is deprecated, but is still displayed for backward compatibility. - The
Resource Scopefield shows that this IP filter applies to the entire organization.
To add an IP filter that allows access to schema management in Confluent Cloud,
you can use the confluent iam ip-filter create command with the
appropriate flags.
confluent iam ip-filter create "schema management access" \
--operations schema \
--ip-groups ipg-123abc,ipg-456def
The following example shows the response to the request:
+------------------+-------------------------------------------------------------------------+
| ID | ipf-ek2le |
| Name | schema management access" |
| Resource Group | multiple |
| IP Groups | ipg-123abc, ipg-456def |
| Operation Groups | SCHEMA |
| Resource Scope | crn://confluent.cloud/organization=c9bc3445-1865-4e27-9fe5-c23a58e96a10 |
+------------------+-------------------------------------------------------------------------+
In this command:
schema management accessis the name of the IP filter you are creating.--operations schemaspecifies that the filter applies to schema management operations.--ip-groups ipg-123abc, ipg-456deflists the IP groups that are allowed access.
To apply this filter to a specific environment, you can add the --environment parameter:
confluent iam ip-filter create "schema management access" \
--environment env-987xyz \
--operations schema \
--ip-groups ipg-123abc,ipg-456def
The following example shows the response to the request:
+------------------+------------------------------------------------------------------------------------------------+
| ID | ipf-3g793 |
| Name | schema management access |
| Resource Group | multiple |
| IP Groups | ipg-123abc, ipg-456def |
| Operation Groups | SCHEMA |
| Resource Scope | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/environment=env-987xyz |
+------------------+------------------------------------------------------------------------------------------------+
Note that now the Resource Scope field shows the environment to which
this IP filter applies. Environment-level filters can only add additional
restrictions on top of organization-level filters (which act as your baseline
policy), and requests must satisfy both levels of filtering to be allowed access.
To make a request to create an IP filter, use the POST /iam/v2/ip-filters
API endpoint (see
Create IP filter).
Note: The PATCH method requires that you include all attributes in
the request body, not just the attributes that you want to update.
For example, the following request creates a IP filter named US Offices
that allows access to the management operation group for the IP groups
ipg-12345 and ipg-67890. Note that the operation_groups field
is optional and defaults to the management operation group.
curl --request POST \
--url https://api.confluent.cloud/iam/v2/ip-filters \
--header 'Authorization: Basic MldHVkdWSTRVUUQzMjZFTzpaSFYvdjFmRlpiTXZBaWIzNDcxaklaTTRHdVJUT3VieDBGdUk4bXJFV3ozbFpkL1IrUnQ5ZkdMTnNkaUVSbXR4' \
--header 'content-type: application/json' \
--data '{"filter_name":"US Offices","resource_group":"multiple","operation_groups":["management"],"ip_groups":[{"id":"ipg-3rrky"},{"id":"ipg-wvppw"}]}'
Note the following:
- The
idfield is the ID of the IP filter. - The
ip_groupsfield is an array of IP groups that are allowed access. - The
resource_groupfield is required here and must be set tomultipleto indicate to use theoperation_groupsfor the IP filter. - The
resource_scopefield is optional and defaults to the organization. If you specify an environment, the IP filter applies to that environment.
The following example shows the response to the request:
{
"api_version": "iam/v2",
"filter_name": "US Offices",
"id": "ipf-3zpje",
"ip_groups": [
{
"id": "ipg-3rrky",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-3rrky",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-3rrky"
},
{
"id": "ipg-wvppw",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-wvppw",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-wvppw"
}
],
"kind": "IpFilter",
"metadata": {
"created_at": "2025-03-15T22:34:02.906282Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-filter=ipf-3zpje",
"self": "https://confluent.cloud/iam/v2/ip-filters/ipf-3zpje",
"updated_at": "2025-03-15T22:34:02.906282Z"
},
"operation_groups": [
"MANAGEMENT"
],
"resource_group": "multiple",
"resource_scope": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96"
}
Update an IP filter¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click IP filters . The IP filter view appears.
#. In the table of IP filters, click the name of the IP filter that you want to update. The IP filter details page appears.
- Click Edit IP filter. The IP filter fields appear.
- Edit the values of your IP filter name, IP groups, and Operation groups, as needed, and click Save.
The IP filter is updated and the updated IP filters list reappears.
Use the confluent iam ip-filter update command
(Confluent CLI reference)
to update a IP filter. You can update the name of the IP filter, the IP
groups, or the scope.
For example, the following command updates the name of the IP filter
to India Offices.
confluent iam ip-filter update ipf-abcef \
--name "India Offices"
The following example shows the response to the request:
+------------------+-------------------------------------------------------------------------+
| ID | ipf-abcef |
| Name | India Offices |
| Resource Group | multiple |
| IP Groups | ipg-386rv, ipg-3rrky |
| Operation Groups | MANAGEMENT |
| Resource Scope | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01 |
+------------------+-------------------------------------------------------------------------+
In this example, the IP filter is updated to show the name India Offices.
To make a request to update an IP filter, use the PATCH /iam/v2/ip-filters/{id} API endpoint (see
Update IP filter).
For example, the following request updates the name of the IP filter
to India Offices. The data in the request body must include the
filter_name, resource_group, and ip_groups.
curl --request PATCH \
--url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-abcef' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH' \
--header 'content-type: application/json' \
--data '{"filter_name":"India Offices","operation_groups":"management","ip_groups":[{"id":"ipg-cdefg"},{"id":"ipg-defgh"}]}'
The following example shows the response to the request, with the updated
filter name India Offices:
{
"api_version": "iam/v2",
"filter_name": "India Offices",
"id": "ipf-abcef",
"ip_groups": [
{
"id": "ipg-3rrky",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-3rrky",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-3rrky"
},
{
"id": "ipg-wvppw",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-wvppw",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-wvppw"
}
],
"kind": "IpFilter",
"metadata": {
"created_at": "2025-03-15T22:44:19.045344Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-filter=ipf-3191e",
"self": "https://confluent.cloud/iam/v2/ip-filters/ipf-3191e",
"updated_at": "2025-03-15T23:04:17.982376Z"
},
"operation_groups": [
"MANAGEMENT"
],
"resource_group": "multiple",
"resource_scope": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01"
}
Describe an IP filter¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click IP filters. The IP filters view appears.
Click the name of the IP filter that you want to view. The IP filter details page appears, showing the IP filter name, IP filter ID, and IP groups.
To return to the list of IP filters, click “IP filtering” in the breadcrumb navigation at the top of the page.
Use the confluent iam ip-filter describe command
(Confluent CLI reference)
to describe a IP filter. For example, the following command shows the
details about the ipf-abcef IP filter:
confluent iam ip-filter describe ipf-abcef
The following example shows the response to the request:
+------------------+-------------------------------------------------------------------------+
| ID | ipf-abcef |
| Name | India Offices |
| Resource Group | multiple |
| IP Groups | ipg-3rrky, ipg-wvppw |
| Operation Groups | MANAGEMENT |
| Resource Scope | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01 |
+------------------+-------------------------------------------------------------------------+
To describe a IP filter, use the GET /iam/v2/ip-filters/{id} API endpoint (see
Read an IP Group).
For example, the following request describes the ipf-abcef IP filter:
curl --request GET
--url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-abcef' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
The following example shows the response to the request:
{
"api_version": "iam/v2",
"filter_name": "India Offices",
"id": "ipf-abcef",
"ip_groups": [
{
"id": "ipg-3rrky",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-3rrky",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-3rrky"
},
{
"id": "ipg-wvppw",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-wvppw",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-wvppw"
}
],
"kind": "IpFilter",
"metadata": {
"created_at": "2025-03-15T22:44:19.045344Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-filter=ipf-3191e",
"self": "https://confluent.cloud/iam/v2/ip-filters/ipf-3191e",
"updated_at": "2025-03-15T23:04:17.982376Z"
},
"operation_groups": [
"MANAGEMENT"
],
"resource_group": "multiple",
"resource_scope": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01"
}
List IP filters¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click IP filters. The IP filters view appears.
You can click an IP filter name to view the details.
Use the confluent iam ip-filter list command
(Confluent CLI reference)
to list the IP filters in your organization.
For example, the following command lists the IP filters.
confluent iam ip-filter list
The following example shows the response to the request:
ID | Name | Resource Group | IP Groups | Operation Groups | Resource Scope
------------+---------------+----------------+----------------------+------------------+--------------------------------------------------------------------------
ipf-abcef | India Offices | multiple | ipg-3rrky, ipg-wvppw | MANAGEMENT | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01
ipf-xyz12 | US Offices | multiple | ipg-4abcd | MANAGEMENT | crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01
To retrieve a list the IP filters, use the GET /iam/v2/ip-filters/ API endpoint (see
List of IP Filters).
For example, the following request lists the IP filters:
curl --request GET --url https://api.confluent.cloud/iam/v2/ip-filters \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
The following example shows the response to the request:
{
"api_version": "iam/v2",
"data": [
{
"filter_name": "India Offices",
"id": "ipf-abcef",
"ip_groups": [
{
"id": "ipg-3rrky",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-3rrky",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-3rrky"
},
{
"id": "ipg-wvppw",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-wvppw",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-wvppw"
}
],
"metadata": {
"created_at": "2025-03-15T22:44:19.045344Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-filter=ipf-abcef",
"self": "https://confluent.cloud/iam/v2/ip-filters/ipf-abcef",
"updated_at": "2025-03-15T23:04:17.982376Z"
},
"operation_groups": [
"MANAGEMENT"
],
"resource_group": "multiple",
"resource_scope": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01"
},
{
"filter_name": "US Offices",
"id": "ipf-xyz12",
"ip_groups": [
{
"id": "ipg-4abcd",
"related": "https://confluent.cloud/iam/v2/ip-groups/ipg-4abcd",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-4abcd"
}
],
"metadata": {
"created_at": "2025-03-15T22:44:19.045344Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-filter=ipf-xyz12",
"self": "https://confluent.cloud/iam/v2/ip-filters/ipf-xyz12",
"updated_at": "2025-03-15T23:04:17.982376Z"
},
"operation_groups": [
"MANAGEMENT"
],
"resource_group": "multiple",
"resource_scope": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01"
}
],
"kind": "IpFilterList",
"metadata": {
"first": "https://confluent.cloud/iam/v2/ip-filters",
"next": ""
}
}
Delete a IP filter¶
IP filters can be deleted to remove access to Confluent Cloud resources. You can also update an IP filter to remove an IP group from access.
Important
Deleting a IP filter removes the IP filter from your organization. If you delete a IP filter that is assigned to a network, the IP addresses in that network can no longer access to the resources that the IP filter controls.
If all IP filters are removed, authorized users from any source IP address can access resources in your organization.
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
Click IP filter. The IP filter view appears.
Click the IP filter name for the IP filter you want to delete. The IP filter details page appears.
Click Delete IP filter. The Delete IP filter dialog appears.
After confirming that you want to delete the specified IP filter, enter the IP filter name in the IP filter name field and click Confirm.
The IP filter is deleted and the Accounts & access page appears listing the remaining IP filters.
Use the confluent iam ip-filter delete command
(Confluent CLI reference)
to delete a IP filter. For example, the following command deletes
the my-ip-filter IP filter:
confluent iam ip-filter delete ipf-9876
Successfully deleted IP filter ipf-9876.
To make a request to delete an IP filter, use the DELETE /iam/v2/ip-filters/{id} API endpoint (see
Delete an IP Filter).
For example, the following request deletes the ipf-9876 IP filter:
curl --request DELETE
--url 'https://api.confluent.cloud/iam/v2/ip-filters/ipf-9876' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
When you run the DELETE request, nothing is returned. You can verify that
the IP filter was deleted by running the confluent iam ip-filter list.