IP Access Lists

IP Access Control Lists provide network-level security by restricting database connections to specific IP addresses and network ranges. This feature is essential when public internet access to your nodegroups is required but you need to maintain strict control over connection sources.

Understanding IP Access Lists

Purpose and Scope

IP Access Lists serve as a network firewall that:

  • Controls Connection Sources: Only allows connections from pre-approved IP addresses
  • Reduces Attack Surface: Blocks unauthorized connection attempts at the network level
  • Supports Compliance: Helps meet regulatory requirements for network access controls
  • Enables Hybrid Architectures: Secures connections from on-premises networks and specific cloud environments

When to Use IP Access Lists

Required Scenarios:

  • Public internet access is enabled for nodegroups
  • Remote team members need database access
  • Integration with external systems and services
  • Development and testing environments with distributed teams

Recommended Scenarios:

  • Hybrid cloud architectures with on-premises components
  • Third-party system integrations
  • Business intelligence tools requiring direct database access
  • Backup and monitoring systems outside your primary VPC

Consider Alternatives:

  • Use Private Link when all access can be routed through your VPC
  • Implement application-layer authentication for user-facing applications
  • Consider VPN solutions for team-wide access requirements

Security Model and Behavior

Default Security Posture

Security Principles:

  • Deny by Default: Empty access lists block all connections
  • Explicit Allow: Only explicitly listed IPs and ranges are permitted
  • Layered Security: IP restrictions work alongside database authentication
  • Administrative Control: Only users with administrative privileges can modify access lists

Access List Rules and Behavior

Rule Characteristics:

  • Multiple Rules: Create multiple IP access rules for different purposes
  • Shared Rules: A single rule can apply to multiple nodegroups
  • Multiple Assignments: Multiple rules can be assigned to one nodegroup
  • Public Access Only: Rules only apply to nodegroups with public network access enabled

Rule Processing:

  • Rules are processed as logical OR (any matching rule allows access)
  • First matching rule determines access (allow/block)
  • No implicit ordering - design rules to avoid conflicts
  • Changes take effect immediately upon configuration

IP Address Formats and Examples

Supported Address Formats

Individual IP Addresses:

192.168.1.100
10.0.0.25
203.0.113.45

CIDR Network Ranges:

192.168.1.0/24    # Allows 192.168.1.1 through 192.168.1.254
10.0.0.0/16       # Allows 10.0.0.1 through 10.0.255.254
172.16.0.0/12     # Allows 172.16.0.1 through 172.31.255.254

Multiple Addresses (Comma-Separated):

192.168.1.100,192.168.1.101,192.168.1.102
203.0.113.0/24,198.51.100.50,192.0.2.0/24

Common Configuration Examples

Office Network Access:

# Corporate headquarters
203.0.113.0/24

# Remote office locations
198.51.100.0/24,192.0.2.0/24

# VPN endpoint addresses
203.0.113.10,203.0.113.11

Cloud Provider Integration:

# AWS NAT Gateway IPs
52.1.2.3,52.1.2.4

# Azure Application Gateway
40.112.0.0/16

# Google Cloud Platform
35.199.192.0/19

Development Team Access:

# Developer home offices
203.0.113.100,198.51.100.200,192.0.2.150

# CI/CD systems
10.1.1.0/28

# Testing infrastructure
172.20.0.0/24

Configuration and Management

Creating IP Access Rules

Step 1: Plan Your Access Requirements

  • Identify all legitimate sources that need database access
  • Determine IP addresses or ranges for each source
  • Group related sources into logical access rules
  • Document the business purpose for each rule

Step 2: Create Access Rules

  1. Navigate to your Data Cloud settings
  2. Select "Security" → "IP Access Lists"
  3. Click "Create New Rule"
  4. Configure rule details:
    • Rule Name: Descriptive name (e.g., "Corporate-Office-Network")
    • IP Addresses: Enter addresses in supported formats
    • Description: Document the purpose and scope
    • Tags: Add tags for organization and management

Step 3: Assign Rules to Nodegroups

  1. Select target nodegroups for the rule
  2. Verify nodegroups have public access enabled
  3. Apply the rule assignment
  4. Test connectivity from allowed sources

Managing Existing Rules

Viewing Access Rules:

  • List all configured rules with their IP ranges
  • View which nodegroups each rule applies to
  • Check rule creation and modification history
  • Monitor rule usage and connection patterns

Modifying Rules:

  • Update IP addresses and ranges as needed
  • Change rule assignments to nodegroups
  • Modify rule descriptions and metadata
  • Track all changes for audit purposes

Deleting Rules:

  • Rules can only be deleted if not assigned to any nodegroups
  • Unassign rules from all nodegroups before deletion
  • Deleting a Data Cloud removes all associated access rules
  • Confirm deletion to avoid accidental access loss

Troubleshooting Common Issues

Connection Failures

Issue: Unable to connect despite correct IP access rules Diagnosis Steps:

  1. Verify your external IP address matches the configured rules
  2. Check if nodegroup has public access enabled
  3. Confirm rule is assigned to the target nodegroup
  4. Test database credentials and connection string

Issue: Intermittent connection failures Potential Causes:

  • Dynamic IP address changes
  • Load balancer or proxy IP rotation
  • Network routing changes
  • DNS resolution issues

Configuration Problems

Issue: Cannot delete IP access rule Solution: Unassign the rule from all nodegroups before attempting deletion

Issue: Rule changes not taking effect Solution:

  • Verify rule syntax and formatting
  • Check for typos in IP addresses or CIDR notation
  • Confirm rule assignment to correct nodegroups
  • Allow time for configuration propagation

Network Discovery

Finding Your IP Address:

# From command line
curl ifconfig.me
curl icanhazip.com
 
# From web browser
# Visit: https://whatismyipaddress.com/

Testing Connectivity:

# Test database connection
psql -h your-nodegroup.tacnode.io -U username -d database
 
# Test network connectivity
telnet your-nodegroup.tacnode.io 5432

Emergency Access Procedures

Lockout Recovery

If you accidentally block your own access:

  1. Contact Tacnode Support: Provide your account details and current IP address
  2. Use Alternative Access: Connect through a different approved IP if available
  3. VPN Solutions: Use company VPN if VPN endpoints are in the access list
  4. Team Coordination: Have a colleague with admin access modify the rules

Disaster Recovery Planning

Backup Access Methods:

  • Maintain multiple admin users with different network access
  • Document emergency contact procedures for support
  • Keep backup lists of critical IP addresses and ranges
  • Test disaster recovery procedures regularly

Business Continuity:

  • Plan for IP address changes due to ISP or infrastructure changes
  • Coordinate with network teams for planned maintenance
  • Implement automated monitoring for access rule effectiveness
  • Maintain offline copies of critical configuration documentation

IP Access Control Lists provide essential network-level security for public database access while maintaining operational flexibility. Proper configuration and ongoing management ensure robust protection against unauthorized access attempts.