Protecting Schematics services with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to Schematics services can be controlled using context-based restrictions (CBR) and Identity and Access Management (IAM) policies.
Managing CBR settings
With context-based restrictions, you can define and enforce user and service access restrictions to Schematics based on specified criteria, for example IP address or IBM Cloud® resources or services.
To restrict access, you must be the account owner or have an access policy with the administrator role on all account management services.
Overview
To restrict access to Schematics, you create network zones that contain the IP addresses and services that you desire to grant access. Then apply these using rules.
First, create a network zone containing the network IP addresses, VPCs, resources or services that you require to access Schematics. Then, attach that zone to Schematics to restrict access. You can create zones and rules by using a RESTful API or with context-based restrictions UI. After you create or update a zone or a rule, it might take a few minutes for the change to take effect.
You need to allowlist Schematics in the CBR rules for other services if you require Schematics to connect to the service to perform post-configuration of service resources, for instance IBM Cloud® PostgreSQL Database. If you configure a CBR rule for a service, for instance IBM Cloud Kubernetes Service, Schematics cannot access a cluster in your account unless you include Schematics in the CBR allowlist.
CBR rules do not apply to resource and service provisioning requests, only to the post-configuration of provisioned services.
Currently, CBR is supported by Schematics public endpoints in both US and EU regions. CBR support with Schematics private endpoints is limited to EU region only.
If a CBR rule is blocking access to Schematics, the workspace page cannot list any workspaces. Other operations like workspace create, plan, and apply requests that are blocked by CBR are failed as access denied errors.
Understanding network zones
By creating network zones, you can define an allowlist of network locations where Schematics access requests originate, to determine when a rule can be applied. The list of network locations can be specified by using IP addresses, such as individual addresses, ranges or subnets, and Virtual Private Cloud (VPC) IDs, or IBM Cloud® services.
After you create a network zone, you can add it to a rule.
Creating network zones by using the CBR API
The CBR API supports defining network zones.
Use GET /v1/zones to list the zones. By using POST /v1/zones, you can create a new zone with the appropriate information. For more information about the API request, see Creating network zones by using the API.
You can determine which services are available to include in a zone by checking the reference targets.
Creating network zones by using the CBR UI
After you set the prerequisites and requirements, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
After you create zones, they can also be updated and deleted.
Understanding network rules
After you create your zones, you can apply the zones to Schematics to control access by creating rules. When you add zones to a rule, you can choose from the available types of endpoints that are relevant to how you access Schematics.
Create network rules by using the CBR API
You can define network rules with the API by using the information that you collected from creating network zones.
By using GET /v1/rules with the endpoints that you chose, you can view a list of current rules. Use POST /v1/rules to create new rules. For more information about a request example, see Creating rules by using the API.
Creating network rules by using the CBR UI
After you complete the prerequisites, you can create zones in the UI. For more information about the steps to follow, see Creating context-based restrictions.
You can use the CBR UI to add resources and contexts to your network rules.
Unlike IAM policies, context-based restrictions do not assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Also, the rules might not take effect immediately due to synchronization and resource availability.
Next steps
You must follow the creation or modification of zones or rules with adequate testing to ensure access and Schematics service availability.