Manage IP Groups on Confluent Cloud¶
IP groups are collections of source CIDR blocks you use to simplify the organization of IP addresses that are allowed to access your Confluent Cloud resources. The sections below describe how to use the Confluent Cloud Console, Confluent CLI, and Confluent Cloud APIs to create, update, describe, list, and delete IP groups.
Additionally, see the following related content:
- Manage IP Filters
- Confluent CLI Reference: confluent iam ip-group
- Confluent API Reference: IP Groups
Specifying CIDR blocks for IP groups¶
The value for --cidr-blocks flag in the CLI commands must be formatted as
a comma-separated list of one or more IPv4 CIDR blocks with no spaces between the
CIDR blocks.
For example, the list of CIDR blocks must be formatted as follows:
- Single CIDR block. Example:
168.150.200.0/24 - Multiple CIDR blocks. Example:
168.150.200.0/24,147.150.200.0/24
Single IP addresses¶
If you want to specify a single IP address, you must use the /32 suffix to
specify the single IP address as a CIDR block. For example, if the IP address
is 16.12.34.56, to add it as a CIDR block, specify the CIDR block as
16.12.34.56/32.
Create an IP group¶
An admininstrator creates an IP group by adding IPv4 CIDR blocks that define a set of IP addresses. IP groups are used to restrict access to Confluent Cloud resources.
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
Click Add IP group. The Add IP group page appears.
In the IP group name field, enter a name for the IP group and in the CIDR block field, enter the IP address range for the IP group. To add additional CIDR blocks, click Add CIDR block as needed.
Click Save to save the IP group. The Accounts & access page reappears displaying the IP groups in the IP grouping section.
When you are finished, you can use IP filters to restrict access to Confluent Cloud resources. For details, see Manage IP Filters on Confluent Cloud.
Use the confluent iam ip-group create command
(Confluent CLI reference)
to create an IP group. The IPv4 CIDR blocks must be formatted as a comma-separated
list of one or more IPv4 CIDR blocks with no spaces between the CIDR blocks.
For example, the following command creates an IP group named
NYC Office that includes two CIDR blocks, 168.150.200.0/24
and 147.150.200.0/24.
confluent iam ip-group create "NYC Office" \
--cidr-blocks 168.150.200.0/24,147.150.200.0/24
+-------------+--------------------------------+
| ID | ipg-34mq3 |
| Name | NYC Office |
| CIDR Blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to create an IP group, use the POST /iam/v2/ip-groups/ API endpoint (see
Create an IP Group).
For example, the following request creates an IP group named
NYC Office that includes two CIDR blocks, 168.150.200.0/24 and 147.150.200.0/24.
curl --request POST \
--url https://api.confluent.cloud/iam/v2/ip-groups \
--header 'Authorization: Basic REPLACE_BASIC_AUTH' \
--header 'content-type: application/json' \
--data '{"group_name":"NYC Office","cidr_blocks":["168.150.200.0/24","147.150.200.0/24"]}'
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "NYC Office",
"cidr_blocks": [
"168.150.200.0/24",
"147.150.200.0/24"
]
}
Update an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
In the table of IP groups, click the name of the IP group under Name that you want to update. The group mapping details page appears.
Click Edit IP group. The IP group details page appears.
Update the values for the current IP group name and CIDR block, click Add CIDR block to add a CIDR block to the IP group, or click “x” to the right of a CIDR block to remove the CIDR block from the IP group.
Click Save to save your IP group updates.
The IP group is updated and the Accounts & access page reappears displaying the IP groups view. section.
Use the confluent iam ip-group update command
(Confluent CLI reference)
to update an IP group.
For example, the following command updates the ipg-1234 group, changing
the IP group name to SF Office.
confluent iam ip-group update ipg-1234 \
--name "SF Office"
+-------------+--------------------------------+
| ID | ipg-1234 |
| Name | SF Office |
| CIDR Blocks | 168.150.200.0/24 |
+-------------+--------------------------------+
To add a CIDR block to the IP group, use the --add-cidr-blocks flag.
In the following example, the following command adds the 147.150.200.0/24 CIDR
block to the SF Office IP group.
confluent iam ip-group update ipg-1234 \
--add-cidr-blocks 147.150.200.0/24
+-------------+--------------------------------+
| ID | ipg-1234 |
| Name | SF Office |
| CIDR Blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To remove a CIDR block from the IP group, use the --remove-cidr-blocks
flag.
For example, the following command removes the 168.150.200.0/24
CIDR block from the SF Office IP group.
confluent iam ip-group update ipg-12345 \
--remove-cidr-blocks 168.150.200.0/24
+-------------+--------------------------------+
| ID | ipg-12345 |
| Name | SF Office |
| CIDR Blocks | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to update an IP group, use the PATCH /iam/v2/ip-groups/{id} API endpoint (see
Update an IP Group).
Note: The PATCH method requires that you include all attributes in
the request body, not just the attributes that you want to update.
For example, the following request updates the ipg-12345 IP group, changing
the IP group name to SF Office.
curl --request PATCH \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH' \
--header 'content-type: application/json' \
--data '{"group_name":"SF Office","cidr_blocks":["192.168.0.0/24","192.168.7.0/24"]}'
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "SF Office",
"cidr_blocks": [
"192.168.0.0/24",
"192.168.7.0/24"
]
}
Describe an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click the name of the IP group that you want to view. The IP group details page appears, showing the IP group name, IP group ID, and CIDR blocks.
To return to the list of IP groups, click “IP filtering” in the breadcrumb navigation at the top of the page.
Use the confluent iam ip-group describe command
(Confluent CLI reference)
to describe an IP group. For example, the following command shows the
details about the SF Office IP group, with the ID ipg-12345:
confluent iam ip-group describe ipg-12345
+-------------+--------------------------------+
| ID | ipg-12345 |
| Name | SF Office |
| CIDR Blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to describe, or read, an IP group, use the GET /iam/v2/ip-groups/{id} API endpoint (see
Read an IP Group).
For example, the following request describes the ipg-12345 IP group.
curl --request GET \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "SF Office",
"cidr_blocks": [
"192.168.0.0/24",
"192.168.7.0/24"
]
}
List IP groups¶
- Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP groups are displayed showing IP group names and IP group IDs. Click on an IP group name to see the details view, which shows the IP group name, IP group ID, and CIDR blocks.
Use the confluent iam ip-group list command
(Confluent CLI reference)
to list IP groups.
For example, the following command lists the IP groups.
confluent iam ip-group list
ID | Name | CIDR Blocks
------------+---------------+-----------------------------------
ipg-34mq3 | SF Office | 168.150.200.0/24, 147.150.200.0/24
ipg-12345 | Madrid Office | 1.2.3.4/32
To retrieve a list of IP groups, use the GET /iam/v2/ip-groups/{id} API endpoint (see
Read an IP Group).
For example, the following request lists the IP groups.
curl --request GET \
--url https://api.confluent.cloud/iam/v2/ip-groups \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
{
"api_version": "iam/v2",
"kind": "IpGroupList",
"metadata": {
"first": "https://api.confluent.cloud/iam/v2/ip-groups",
"last": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=bcAOehAY8F16YD84Z1wT",
"prev": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=YIXRY97wWYmwzrax4dld",
"next": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=UvmDWOB1iwfAIBPj6EYb",
"total_size": 123
},
"data": [
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "CorpNet",
"cidr_blocks": [
"192.168.0.0/24",
"192.168.7.0/24"
]
}
]
}
Delete an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
Click IP groups and then click the name of the IP group you want to delete.
The IP group details view appears.
Click Delete IP group. The Delete IP group page appears.
Enter the IP group name to confirm that you want to delete the IP group, then click Confirm.
The IP group is deleted and the IP group view appears listing the remaining IP groups.
Use the confluent iam ip-group delete command
(Confluent CLI reference)
to delete an IP group. For example, the following command deletes
the my-ip-group IP group:
confluent iam ip-group delete ipg-12345
To make a request to delete an IP group, use the DELETE /iam/v2/ip-groups/{id} API endpoint (see
Delete an IP group).
For example, the following request deletes the ipg-12345 IP group.
curl --request DELETE \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'