Manage IP Groups on Confluent Cloud

IP groups are collections of source CIDR blocks used to define access control policies in Confluent Cloud. IP groups are used in IP filtering to help organize and manage network access rules based on specific sets of IP addresses.

IP groups provide several key benefits for organizing and managing your network access controls in Confluent Cloud:

  • Reusable Address Collections: Create reusable groups of IP addresses that can be referenced across multiple IP filters, eliminating the need to repeatedly specify the same IP addresses.
  • Simplified Updates: Modify IP addresses in one central location - updates to an IP group automatically apply to all IP filters using that group, reducing maintenance overhead and potential configuration errors.
  • Logical Organization: Group IP addresses based on meaningful categories like office locations, data centers, or business units for better organization and management of network access rules.
  • Reduced Configuration Complexity: Instead of managing long lists of individual IP addresses across multiple filters, use IP groups to create a more maintainable and scalable configuration.

The sections below describe how to use the Confluent Cloud Console, Confluent CLI, and Confluent Cloud APIs to create, update, describe, list, and delete IP groups.

Specify CIDR blocks for IP groups

A CIDR block is a 32-bit IP address and a netmask. For example, 192.168.1.0/24 is a CIDR block that includes all IP addresses from 192.168.1.0 to 192.168.1.255. The netmask 24 indicates that the first 24 bits of the provided CIDR block are used to match incoming requests.

To specify a single IP address as a CIDR block, use the /32 suffix. For example, if the IP address is 64.235.154.88, to add it as a CIDR block, specify the CIDR block as 64.235.154.88/32. This is useful for creating an IP group that includes a single IP address that you want to ensure is allowed access.

When you create an IP filter, you need to make sure that the IP group that you select includes the IP address that you want to allow access from. One simple way to ensure that an IP filter includes the IP address that you are using to access Confluent Cloud is to specify your current IP address as a CIDR block in an IP group and then select that IP group in your first IP filter.

Tip

In many cases, you can get your current IP address by running the following curl command, which accesses your public IP address from the ipify API service and your visit is not logged:

curl 'https://api.ipify.org?format=json'
Copy

The response is a JSON object with your current IP address, similar to the following. Note that VPNs and other network configurations might not return your public IP address.

{
   "ip": "64.235.154.88"
}
Copy

Append the /32 suffix to the IP address to create a CIDR block, and then use this CIDR block in an IP group. For example, the following CIDR block includes the IP address 64.235.154.88:

"64.235.154.88/32"
Copy

Select this IP group in your first IP filter.

No Public Networks group

The No Public Networks group is a predefined IP group with the ID of ipg-none and includes a CIDR block with the single IP address of 0.0.0.0/32, which doesn’t exist. Because this group matches no IP addresses, when used in an IP filter, it blocks all requests from public networks, allowing access only from private network connections.

To create an IP filter that allows access only from private network ranges, select the No Public Networks group and create only one IP filter per operation group that includes this group. You cannot create any other IP group that includes the CIDR block of 0.0.0.0/32. For details, see Use the predefined No Public Networks group.

Create an IP group

An administrator creates an IP group by adding IPv4 CIDR blocks that define a set of IP addresses. IP groups are used to restrict access to Confluent Cloud resources.

  1. Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

    The IP filtering page, with the IP group view, appears.

  2. Click Add IP group. The Add IP group page appears.

  3. In the IP group name field, enter a name for the IP group and in the CIDR block field, enter the IP address range for the IP group. To add additional CIDR blocks, click Add CIDR block as needed.

  4. Click Save to save the IP group. The Accounts & access page reappears displaying the IP group name, IP group ID, and CIDR blocks in the IP groups section.

When you are finished, you can use IP filters to restrict access to Confluent Cloud resources. For details, see Manage IP Filters on Confluent Cloud.

Update an IP group

  1. Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

    The IP filtering page, with the IP groups view, appears.

  2. In the table of IP groups, click the name of the IP group under Name that you want to update. The IP group details page appears.

  3. Click Edit IP group. The IP group details page appears.

  4. Update the values for the current IP group name and CIDR block, click Add CIDR block to add a CIDR block to the IP group, or click “x” to the right of a CIDR block to remove the CIDR block from the IP group.

  5. Click Save to save your IP group updates.

The IP group is updated and the Accounts & access page reappears displaying the IP group name, IP group ID, and CIDR blocks in the IP groups section.

Describe an IP group

  1. Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

    The IP filtering page, with the IP groups view, appears.

  2. Click the name of the IP group that you want to view. The IP group details page appears, showing the IP group name, IP group ID, and CIDR blocks.

To return to the list of IP groups, click “IP filtering” in the breadcrumb navigation at the top of the page.

List IP groups

  1. Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

The IP groups are displayed showing IP group names and IP group IDs. Click on an IP group name to see the details view, which shows the IP group name, IP group ID, and CIDR blocks.

Delete an IP group

  1. Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.

    The IP filtering page, with the IP group view, appears.

  2. Click IP groups and then click the name of the IP group you want to delete.

    The IP group details view appears.

  3. Click Delete IP group. The Delete IP group page appears.

  4. Enter the IP group name to confirm that you want to delete the IP group, then click Confirm.

The IP group is deleted and the IP group view appears listing the remaining IP groups.