cbr-tutorial.md

copyright	years 2022, 2024
lastupdated	2024-07-31
keywords	cbr, context based restrictions, security, cbr scenario, cloud databases
subcollection	cloud-databases
content-type	tutorial
services	cloud-databases
account-plan	paid
completion-time	30m

{{site.data.keyword.attribute-definition-list}}

Example context-based restrictions scenarios

{: #cbr-tutorial} {: toc-content-type="tutorial"} {: toc-services="cloud-databases"} {: toc-completion-time="30m"}

With context-based restrictions, account owners and administrators can define and enforce access restrictions for {{site.data.keyword.cloud}} resources, based on the context of access requests. Access to {{site.data.keyword.databases-for}} resources can be controlled with context-based restrictions and identity and access management policies. For more information, see Protecting {{site.data.keyword.databases-for}} resources with context-based restrictions. {: shortdesc}

Restrict traffic to your deployment by using {{site.data.keyword.databases-for}} Allowlisting

{: #cbr-tutorial-scenario}

In this example scenario, you use context-based restrictions to restrict traffic to your {{site.data.keyword.databases-for-mysql_full}} cluster in the in-che region by allowing only the set of subnets from the {{site.data.keyword.databases-for}} Allowlist page to connect to your deployment.

In the following steps, you start by creating a network zone, or allowlist, that includes your subnets. Then, you create a context-based restrictions rule for your deployment. When you create the rule, you associate it with the network zone that contains the individual IP address.

Prerequisites

{: #cbr-tutorial-prereqs}

Before beginning this tutorial, make sure you have created or installed the following resources and tools.

• An {{site.data.keyword.cloud_notm}} account. For more information, see Creating an account.
• The [{{site.data.keyword.databases-for}} CLI plug-in/docs/cloud-databases?topic=cloud-databases-cdb-reference) - the CLI interface to interact with the {{site.data.keyword.databases-for}} API. For more information, see Getting started with the {{site.data.keyword.cloud_notm}} CLI.
• A {{site.data.keyword.databases-for}} deployment. For more information, see Provisioning.
• Review the What are context-based restrictions docs to get an understanding of concepts of network zones and rules.
• Review the Protecting {{site.data.keyword.databases-for}} resources with context-based restrictions docs to understand how you can leverage CBR for your {{site.data.keyword.databases-for}} resources.

Creating your network zone in the CLI

{: #cbr-tutorial-create-zone-cli} {: step}

Provision your service from the {{site.data.keyword.cloud_notm}} Catalog and choose your IP addresses from the {{site.data.keyword.databases-for}} Allowlist page.

1. Run the following example command to create a network that includes a range of allowed IP addresses.

   ibmcloud cbr zone-create --addresses=169.38.95.127/27,169.38.121.159/28,169.38.132.127/25,169.38.136.255/26,169.38.73.151/29,169.38.105.79/29,10.162.8.127/26,10.163.20.127/25,10.162.115.103/29,10.162.132.79/29 --name=tutorial_zone

   {: pre}

2. Verify the network zone was created.

   ibmcloud cbr zones

   {: pre}

Creating your CBR rule in the CLI

{: #cbr-tutorial-create-rule} {: step}

1. After you create your network zone (allowlist), create a context-based restrictions rule and add the network zone you created in the previous step. The following example creates a rule that uses the data-plane API type. Replace ZONE-ID with the ID of the tutorial_zone network zone that you created in Step 1.

   ibmcloud cbr rule-create --enforcement-mode enabled --context-attributes networkZoneId=<ZONE-ID> --resource-group-id <RESOURCE_GROUP_ID> --service-name databases-for-mysql --service-instance <SERVICE-INSTANCE> --api-types crn:v1:bluemix:public:context-based-restrictions::::api-type:data-plane --description <DESCRIPTION>

   {: pre}

   Understanding the command options.

   --context-attributes (string) : Contexts to add to the rule. Can only pass in one networkZoneId field at a time. This option can be repeated to add multiple network zones. Please use this if you need to specify the endpointType with the networkZoneId.

   --zone-id (string) : Shorthand for adding context attribute networkZoneId to the context without specifying endpoint.

   --resource-attributes (string) : Resources to add to the rule.

   --resource-group-id (string) : Shorthand for creating {{site.data.keyword.cloud_notm}} resource attribute resourceGroupId. Used to restrict the rule to a single resource group.

   --region (string) : Shorthand for creating {{site.data.keyword.cloud_notm}} resource attribute region. Used to restrict the rule to a single region.

   --service-name (string) : Shorthand for creating {{site.data.keyword.cloud_notm}} resource attribute serviceName.

   --service-instance (string) : GUID of the service instance to scope the context to. This option can be omitted if the context applies to more than one of you service instances. This option is exclusive with the --file option.

2. Verify the rule was created.

   ibmcloud cbr rules

   {: pre}

Testing your context-based restrictions

{: #cbr-tutorial-create-test} {: step}

To test your context-based restrictions setup, try connecting to your deployment from an IP address other than the IP addresses that you allowlisted in your network zone. With this setup, only the IP addresses in your network zone can connect to your deployment.