IP Access Lists
IP Access Control Lists provide network-level security by restricting database connections to specific IP addresses and network ranges. This feature is essential when public internet access to your nodegroups is required but you need to maintain strict control over connection sources.
Understanding IP Access Lists
Purpose and Scope
IP Access Lists serve as a network firewall that:
- Controls Connection Sources: Only allows connections from pre-approved IP addresses
- Reduces Attack Surface: Blocks unauthorized connection attempts at the network level
- Supports Compliance: Helps meet regulatory requirements for network access controls
- Enables Hybrid Architectures: Secures connections from on-premises networks and specific cloud environments
When to Use IP Access Lists
Required Scenarios:
- Public internet access is enabled for nodegroups
- Remote team members need database access
- Integration with external systems and services
- Development and testing environments with distributed teams
Recommended Scenarios:
- Hybrid cloud architectures with on-premises components
- Third-party system integrations
- Business intelligence tools requiring direct database access
- Backup and monitoring systems outside your primary VPC
Consider Alternatives:
- Use Private Link when all access can be routed through your VPC
- Implement application-layer authentication for user-facing applications
- Consider VPN solutions for team-wide access requirements
Security Model and Behavior
Default Security Posture
Critical Security Note: When public network access is enabled, the default IP access list is empty, which blocks ALL connections. You must configure IP access rules immediately after enabling public access, or database connectivity will be impossible.
Security Principles:
- Deny by Default: Empty access lists block all connections
- Explicit Allow: Only explicitly listed IPs and ranges are permitted
- Layered Security: IP restrictions work alongside database authentication
- Administrative Control: Only users with administrative privileges can modify access lists
Access List Rules and Behavior
Rule Characteristics:
- Multiple Rules: Create multiple IP access rules for different purposes
- Shared Rules: A single rule can apply to multiple nodegroups
- Multiple Assignments: Multiple rules can be assigned to one nodegroup
- Public Access Only: Rules only apply to nodegroups with public network access enabled
Rule Processing:
- Rules are processed as logical OR (any matching rule allows access)
- First matching rule determines access (allow/block)
- No implicit ordering - design rules to avoid conflicts
- Changes take effect immediately upon configuration
IP Address Formats and Examples
Supported Address Formats
Individual IP Addresses:
CIDR Network Ranges:
Multiple Addresses (Comma-Separated):
Common Configuration Examples
Office Network Access:
Cloud Provider Integration:
Development Team Access:
Configuration and Management
Creating IP Access Rules
Step 1: Plan Your Access Requirements
- Identify all legitimate sources that need database access
- Determine IP addresses or ranges for each source
- Group related sources into logical access rules
- Document the business purpose for each rule
Step 2: Create Access Rules
- Navigate to your Data Cloud settings
- Select "Security" → "IP Access Lists"
- Click "Create New Rule"
- Configure rule details:
- Rule Name: Descriptive name (e.g., "Corporate-Office-Network")
- IP Addresses: Enter addresses in supported formats
- Description: Document the purpose and scope
- Tags: Add tags for organization and management
Step 3: Assign Rules to Nodegroups
- Select target nodegroups for the rule
- Verify nodegroups have public access enabled
- Apply the rule assignment
- Test connectivity from allowed sources
Managing Existing Rules
Viewing Access Rules:
- List all configured rules with their IP ranges
- View which nodegroups each rule applies to
- Check rule creation and modification history
- Monitor rule usage and connection patterns
Modifying Rules:
- Update IP addresses and ranges as needed
- Change rule assignments to nodegroups
- Modify rule descriptions and metadata
- Track all changes for audit purposes
Deleting Rules:
- Rules can only be deleted if not assigned to any nodegroups
- Unassign rules from all nodegroups before deletion
- Deleting a Data Cloud removes all associated access rules
- Confirm deletion to avoid accidental access loss
Troubleshooting Common Issues
Connection Failures
Issue: Unable to connect despite correct IP access rules Diagnosis Steps:
- Verify your external IP address matches the configured rules
- Check if nodegroup has public access enabled
- Confirm rule is assigned to the target nodegroup
- Test database credentials and connection string
Issue: Intermittent connection failures Potential Causes:
- Dynamic IP address changes
- Load balancer or proxy IP rotation
- Network routing changes
- DNS resolution issues
Configuration Problems
Issue: Cannot delete IP access rule Solution: Unassign the rule from all nodegroups before attempting deletion
Issue: Rule changes not taking effect Solution:
- Verify rule syntax and formatting
- Check for typos in IP addresses or CIDR notation
- Confirm rule assignment to correct nodegroups
- Allow time for configuration propagation
Network Discovery
Finding Your IP Address:
Testing Connectivity:
Emergency Access Procedures
Lockout Recovery
If you accidentally block your own access:
- Contact Tacnode Support: Provide your account details and current IP address
- Use Alternative Access: Connect through a different approved IP if available
- VPN Solutions: Use company VPN if VPN endpoints are in the access list
- Team Coordination: Have a colleague with admin access modify the rules
Disaster Recovery Planning
Backup Access Methods:
- Maintain multiple admin users with different network access
- Document emergency contact procedures for support
- Keep backup lists of critical IP addresses and ranges
- Test disaster recovery procedures regularly
Business Continuity:
- Plan for IP address changes due to ISP or infrastructure changes
- Coordinate with network teams for planned maintenance
- Implement automated monitoring for access rule effectiveness
- Maintain offline copies of critical configuration documentation
IP Access Control Lists provide essential network-level security for public database access while maintaining operational flexibility. Proper configuration and ongoing management ensure robust protection against unauthorized access attempts.