Manage IP Groups on Confluent Cloud¶
IP groups are collections of source CIDR blocks used to define access control policies in Confluent Cloud. IP groups are used in IP filtering to help organize and manage network access rules based on specific sets of IP addresses.
IP groups provide several key benefits for organizing and managing your network access controls in Confluent Cloud:
- Reusable Address Collections: Create reusable groups of IP addresses that can be referenced across multiple IP filters, eliminating the need to repeatedly specify the same IP addresses.
- Simplified Updates: Modify IP addresses in one central location - updates to an IP group automatically apply to all IP filters using that group, reducing maintenance overhead and potential configuration errors.
- Logical Organization: Group IP addresses based on meaningful categories like office locations, data centers, or business units for better organization and management of network access rules.
- Reduced Configuration Complexity: Instead of managing long lists of individual IP addresses across multiple filters, use IP groups to create a more maintainable and scalable configuration.
The sections below describe how to use the Confluent Cloud Console, Confluent CLI, and Confluent Cloud APIs to create, update, describe, list, and delete IP groups.
Specify CIDR blocks for IP groups¶
A CIDR block is a 32-bit IP address and a netmask. For example, 192.168.1.0/24
is a CIDR block that includes all IP addresses from 192.168.1.0
to 192.168.1.255
.
The netmask 24
indicates that the first 24 bits of the provided CIDR block
are used to match incoming requests.
To specify a single IP address as a CIDR block, use the /32
suffix. For
example, if the IP address is 64.235.154.88
, to add it as a CIDR block,
specify the CIDR block as 64.235.154.88/32
. This is useful for creating
an IP group that includes a single IP address that you want to ensure is
allowed access.
When you create an IP filter, you need to make sure that the IP group that you select includes the IP address that you want to allow access from. One simple way to ensure that an IP filter includes the IP address that you are using to access Confluent Cloud is to specify your current IP address as a CIDR block in an IP group and then select that IP group in your first IP filter.
Tip
In many cases, you can get your current IP address by running the following curl command, which accesses your public IP address from the ipify API service and your visit is not logged:
curl 'https://api.ipify.org?format=json'
The response is a JSON object with your current IP address, similar to the following. Note that VPNs and other network configurations might not return your public IP address.
{
"ip": "64.235.154.88"
}
Append the /32
suffix to the IP address to create a CIDR block, and then
use this CIDR block in an IP group. For example, the following CIDR block
includes the IP address 64.235.154.88
:
"64.235.154.88/32"
Select this IP group in your first IP filter.
No Public Networks group¶
The No Public Networks group is a predefined IP group with the ID of
ipg-none
and includes a CIDR block with the single IP address
of 0.0.0.0/32
, which doesn’t exist. Because this group matches no IP
addresses, when used in an IP filter, it blocks all requests from public
networks, allowing access only from private network connections.
To create an IP filter that allows access only from private network ranges,
select the No Public Networks group and create only one IP filter per
operation group that includes this group. You cannot create any other IP
group that includes the CIDR block of 0.0.0.0/32
. For details, see
Use the predefined No Public Networks group.
Create an IP group¶
An administrator creates an IP group by adding IPv4 CIDR blocks that define a set of IP addresses. IP groups are used to restrict access to Confluent Cloud resources.
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
Click Add IP group. The Add IP group page appears.
In the IP group name field, enter a name for the IP group and in the CIDR block field, enter the IP address range for the IP group. To add additional CIDR blocks, click Add CIDR block as needed.
Click Save to save the IP group. The Accounts & access page reappears displaying the IP group name, IP group ID, and CIDR blocks in the IP groups section.
When you are finished, you can use IP filters to restrict access to Confluent Cloud resources. For details, see Manage IP Filters on Confluent Cloud.
Use the confluent iam ip-group create
command
(Confluent CLI reference)
to create an IP group. The IPv4 CIDR blocks must be formatted as a comma-separated
list of one or more IPv4 CIDR blocks with no spaces between the CIDR blocks.
For example, the following command creates an IP group named
NYC Office
that includes two CIDR blocks, 168.150.200.0/24
and 147.150.200.0/24
.
confluent iam ip-group create "NYC Office" \
--cidr-blocks 168.150.200.0/24,147.150.200.0/24
The following example shows the response to the request:
+-------------+--------------------------------+
| ID | ipg-34mq3 |
| Name | NYC Office |
| CIDR Blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to create an IP group, use the POST /iam/v2/ip-groups/
API endpoint (see
Create an IP Group).
For example, the following request creates an IP group named
NYC Office
that includes two CIDR blocks, 168.150.200.0/24
and 147.150.200.0/24
.
curl --request POST \
--url https://api.confluent.cloud/iam/v2/ip-groups \
--header 'Authorization: Basic REPLACE_BASIC_AUTH' \
--header 'content-type: application/json' \
--data '{"group_name":"NYC Office","cidr_blocks":["168.150.200.0/24","147.150.200.0/24"]}'
The following example shows the response to the request:
{
"api_version": "iam/v2",
"cidr_blocks": [
"168.150.200.0/24",
"147.150.200.0/24"
],
"group_name": "NYC Office",
"id": "ipg-ek49z",
"kind": "IpGroup",
"metadata": {
"created_at": "2025-03-15T23:36:34.281728Z",
"resource_name": "crn://confluent.cloud/organization=c9bc3446-0754-4d26-9fe5-c24a58e96a01/ip-group=ipg-ek49z",
"self": "https://confluent.cloud/iam/v2/ip-groups/ipg-ek49z",
"updated_at": "2025-03-15T23:36:34.281728Z"
}
}
Update an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
In the table of IP groups, click the name of the IP group under Name that you want to update. The IP group details page appears.
Click Edit IP group. The IP group details page appears.
Update the values for the current IP group name and CIDR block, click Add CIDR block to add a CIDR block to the IP group, or click “x” to the right of a CIDR block to remove the CIDR block from the IP group.
Click Save to save your IP group updates.
The IP group is updated and the Accounts & access page reappears displaying the IP group name, IP group ID, and CIDR blocks in the IP groups section.
Use the confluent iam ip-group update
command
(Confluent CLI reference)
to update an IP group.
For example, the following command updates the ipg-1234
group, changing
the IP group name to San Francisco Office
.
confluent iam ip-group update ipg-1234 \
--name "San Francisco Office"
The following example shows the response to the request:
+-------------+--------------------------------+
| ID | ipg-1234 |
| Name | San Francisco Office |
| CIDR Blocks | 168.150.200.0/24 |
+-------------+--------------------------------+
To add a CIDR block to the IP group, use the --add-cidr-blocks
flag.
In the following example, the following command adds the 147.150.200.0/24
CIDR
block to the SF Office
IP group.
confluent iam ip-group update ipg-1234 \
--add-cidr-blocks 147.150.200.0/24
The following example shows the response to the request:
+-------------+--------------------------------+
| ID | ipg-1234 |
| Name | SF Office |
| CIDR blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To remove a CIDR block from the IP group, use the --remove-cidr-blocks
flag.
For example, the following command removes the 168.150.200.0/24
CIDR block from the SF Office
IP group.
confluent iam ip-group update ipg-12345 \
--remove-cidr-blocks 168.150.200.0/24
The following example shows the response to the request:
+-------------+--------------------------------+
| ID | ipg-12345 |
| Name | SF Office |
| CIDR blocks | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to update an IP group, use the PATCH /iam/v2/ip-groups/{id}
API endpoint (see
Update an IP Group).
Note: The PATCH
method requires that you include all attributes in
the request body, not just the attributes that you want to update.
For example, the following request updates the ipg-12345
IP group, changing
the IP group name to SF Office
.
curl --request PATCH \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH' \
--header 'content-type: application/json' \
--data '{"group_name":"SF Office","cidr_blocks":["192.168.0.0/24","192.168.7.0/24"]}'
The following example shows the response to the request:
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "SF Office",
"cidr_blocks": [
"192.168.0.0/24",
"192.168.7.0/24"
]
}
Describe an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP groups view, appears.
Click the name of the IP group that you want to view. The IP group details page appears, showing the IP group name, IP group ID, and CIDR blocks.
To return to the list of IP groups, click “IP filtering” in the breadcrumb navigation at the top of the page.
Use the confluent iam ip-group describe
command
(Confluent CLI reference)
to describe an IP group. For example, the following command shows the
details about the SF Office
IP group, with the ID ipg-12345
:
confluent iam ip-group describe ipg-12345
The following example shows the response to the request:
+-------------+--------------------------------+
| ID | ipg-12345 |
| Name | SF Office |
| CIDR blocks | 168.150.200.0/24, |
| | 147.150.200.0/24 |
+-------------+--------------------------------+
To make a request to describe, or read, an IP group, use the GET /iam/v2/ip-groups/{id}
API endpoint (see
Read an IP Group).
For example, the following request describes the ipg-12345
IP group.
curl --request GET \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
The following example shows the response to the request:
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "dlz-f3a90de",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-12345",
"created_at": "2006-01-02T15:04:05-07:00",
"updated_at": "2006-01-02T15:04:05-07:00",
"deleted_at": "2006-01-02T15:04:05-07:00"
},
"group_name": "SF Office",
"cidr_blocks": [
"192.168.0.0/24",
"192.168.7.0/24"
]
}
List IP groups¶
- Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP groups are displayed showing IP group names and IP group IDs. Click on an IP group name to see the details view, which shows the IP group name, IP group ID, and CIDR blocks.
Use the confluent iam ip-group list
command
(Confluent CLI reference)
to list IP groups.
For example, the following command lists the IP groups.
confluent iam ip-group list
The following example shows the response to the request:
ID | Name | CIDR blocks
------------+----------------------+-----------------------------------
ipg-34mq3 | San Francisco Office | 168.150.200.0/24, 147.150.200.0/24
ipg-12345 | Madrid Office | 1.2.3.4/32
To retrieve a list of IP groups, use the GET /iam/v2/ip-groups/{id}
API endpoint (see
Read an IP Group).
For example, the following request lists the IP groups.
curl --request GET \
--url https://api.confluent.cloud/iam/v2/ip-groups \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
{
"api_version": "iam/v2",
"kind": "IpGroupList",
"metadata": {
"first": "https://api.confluent.cloud/iam/v2/ip-groups",
"last": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=bcAOehAY8F16YD84Z1wT",
"prev": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=YIXRY97wWYmwzrax4dld",
"next": "https://api.confluent.cloud/iam/v2/ip-groups?page_token=UvmDWOB1iwfAIBPj6EYb",
"total_size": 123
},
"data": [
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "ipg-73zpe",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-73zpe",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-73zpe",
"created_at": "2023-10-27T20:35:53.476383Z",
"updated_at": "2023-11-28T18:13:57.715874Z"
},
"group_name": "New York Office",
"cidr_blocks": [
"168.150.200.0/24",
"147.150.200.0/24"
]
},
{
"api_version": "iam/v2",
"kind": "IpGroup",
"id": "ipg-31j53",
"metadata": {
"self": "https://api.confluent.cloud/iam/v2/ip-groups/ipg-31j53",
"resource_name": "crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/ip-group=ipg-31j53",
"created_at": "2023-10-27T20:37:13.535279Z",
"updated_at": "2023-11-28T18:13:57.715874Z"
},
"group_name": "Corporate VPN",
"cidr_blocks": [
"11.22.33.44/32",
"5.6.7.8/32"
]
}
]
}
Delete an IP group¶
Go to the IP filtering tab on the Accounts & access page at https://confluent.cloud/settings/org/ip-filtering.
The IP filtering page, with the IP group view, appears.
Click IP groups and then click the name of the IP group you want to delete.
The IP group details view appears.
Click Delete IP group. The Delete IP group page appears.
Enter the IP group name to confirm that you want to delete the IP group, then click Confirm.
The IP group is deleted and the IP group view appears listing the remaining IP groups.
Use the confluent iam ip-group delete
command
(Confluent CLI reference)
to delete an IP group. For example, the following command deletes
the my-ip-group
IP group:
confluent iam ip-group delete ipg-12345
To make a request to delete an IP group, use the DELETE /iam/v2/ip-groups/{id}
API endpoint (see
Delete an IP group).
For example, the following request deletes the ipg-12345
IP group.
curl --request DELETE \
--url 'https://api.confluent.cloud/iam/v2/ip-groups/ipg-12345' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'