IP Filtering on Confluent Cloud

IP Filtering is an authorization feature that provides Confluent Cloud organizations with enhanced security by allowing access to your resources only from trusted source networks. You can create IP filters for your Confluent Cloud organization that allow inbound requests based on the included IP groups (lists of CIDR blocks) defining your trusted source networks. All incoming API requests that originate from IP addresses not included in your IP filters are denied.

IP Filtering Overview

By default, publicly networked Confluent Cloud resources are accessible from any source IP address. You can use IP Filtering to restrict access to your Confluent Cloud resources from only trusted source networks and enhance security.

IP Filtering applies only to requests made over public networks. You cannot use IP Filtering to limit requests made over private network connections.

Some of the benefits of using IP Filtering in Confluent Cloud include:

• Reduced attack surface for your Confluent Cloud resources: IP Filtering reduces the attack surface for your Confluent Cloud resources by restricting access to only trusted source networks.
• Reduced risk of unauthorized access: IP Filtering reduces the risk of unauthorized access to your Confluent Cloud resources by restricting access to only trusted source networks. IP Filtering provides a second layer of protection for your Confluent Cloud resources if a credential for a user or service account is compromised.
• Enhanced visibility into suspicious activity: IP Filtering provides enhanced visibility into suspicious activity by restricting access to only trusted source networks. If someone attempts to access your Confluent Cloud resources from IP addresses not covered by your IP filters, your Confluent Cloud audit log records the attempt.

The key components of IP Filtering that you should understand are:

• IP group: The list of CIDR blocks specifying the trusted source networks. IP groups are used to create IP filters that control access to Confluent Cloud resources.

• IP filter: The set of IP groups associated with a resource scope. IP filters define which IP groups are allowed to access operations within a given scope.

• Resource scope: The scope of resources covered by IP filters. Two resource scopes are available:

  • Organization: Covers all resources in the Confluent Cloud organization.
  • Environment: Covers all resources in a specific Confluent Cloud environment.

• Operation group: The set of operations that are allowed by an IP filter. The following operation groups are available:

  • Resource management: Covers all management operations
  • Schema management: Covers schema management operations

  For details, see Operation groups.

Example

Assume that Julia manages the Confluent Cloud organization for her company and wants to ensure that management operations can be performed only from trusted network locations.

1. Julia collects a list of the CIDR blocks that represent the trusted network locations for her company.
2. She creates an IP group for each trusted network location, naming each IP group to match the trusted network location. For example, she creates an IP group named “SF Office” for the trusted network location of her company’s San Francisco office. And, another IP group named “Corp VPN” for the trusted network location of her company’s corporate VPN.
3. Next, Julia creates an IP filter and adds the IP groups for the trusted network locations to the IP filter. She names the IP filter “Allow Corporate Offices and VPN” to indicate that it permits access from the corporate location networks and the VPN. She also associates the IP filter with the “management” operations group, which restricts operations to the management of Confluent Cloud resources.
4. Finally, Julia verifies that the IP filter is working as expected by doing the following:
   • Attempt to access her Confluent Cloud resources from IP address included in her IP filters.
   • Attempt to access her Confluent Cloud resources from IP address not included in her IP filters. These attempts are denied.
   • Check the Confluent Cloud audit log to see that her tests to access her Confluent Cloud resources from IP addresses not included in her IP filters are denied, as expected, and are recorded in the audit log.

Steps to implement IP filtering

To use the IP Filtering feature, you must perform the following steps:

1. Create IP groups that represent trusted source networks.
2. Create IP filters that associate the allowed IP groups or the predefined No Public Networks IP group with the resource scope and operation groups.
3. Verify that your IP filters work as expected. You can verify that the IP filter is working as expected by attempting to access your Confluent Cloud resources from an IP address not included in your IP filters. If the IP filter is working as expected, the attempt is denied, and the Confluent Cloud audit log records the attempt.

Limitations

IP Filtering currently has the following limitations:

• Protecting access to data in Kafka topics, ksqlDB databases, and Flink compute pools is not supported.

• Two operation groups are currently available:

  • Resource management: Covers the management of Confluent Cloud resources using the resource management APIs (api.confluent.cloud).
  • Schema management: Covers schema management operations.
  • Currently not configurable are the following operation groups:
    • Catalog management
    • Kafka Management
    • Logging
    • Metrics
    • Kafka data

  For details, see Operation groups.

• When an IP filter is applied to the resource management operation group, creating a connector by executing a KSQL statement fails.

• Only IPv4 CIDR blocks are supported.

Prerequisites

To use IP Filtering, you must have the following:

• A Confluent Cloud account with the following roles:

  • OrganizationAdmin role to manage IP groups and IP filters for the organization and its environments.
  • EnvironmentAdmin role to manage IP filters for an environment.

  If you do not have these permissions, the Confluent Cloud Console for IP Filtering is unavailable.

• A list of IPv4 CIDR blocks representing the trusted source networks that can access Confluent Cloud resources.

To use the confluent iam ip-filter and confluent iam ip-group CLI commands, you must have the following:

• Confluent CLI version 4.18.0 or later.

Related content

• Manage IP Filters
• Manage IP Groups
• Confluent CLI Reference: confluent iam ip-group
• Confluent CLI Reference: confluent iam ip-filter
• Confluent API Reference: IP Groups
• Confluent API Reference: IP Filters