Administer Cluster Security

Administer managed SQL Server acess control lists.

Overview

A Data Bridge cluster is a collection of managed SQL Server instances that a tenant may use to store and manage exposure data, results data, and custom data.

Cluster-level security enables the tenant to manage access to a Data Bridge cluster using access control lists and Transport Data Layer (TLS) data encryption:

  • An access control list is a routing table that defines access rights and permissions for a system resource. Administrators can restrict access to the tenant's managed SQL Server instances by specifying the IP addresses that may connect to the tenant's Data Bridge cluster. Clients attempting to connect to managed SQL Server instances from IP addresses that are not in the ACL are denied access.
  • The Transport Layer Security (TLS) protocol encrypts communications within a computer network. By default, all connections between clients and managed SQL Server instances are encrypted automatically using TLS version 1.2. Administrators can the minimum version of TLS encryption supported by SQL Server instances in the tenant's Data Bridge cluster.

Data Bridge also supports mechanisms for securing data within the tenant's Datab Bridge cluster. Data resource security enables tenants to restrict access to secured server instances and databases based on group membership. To learn more, see Administer Server and Database Security

Cluster-level administrative operations may be performed by Intelligent Risk tenant administrators using controls in Admin Center or Data Bridge API services.

Administer access control lists

Data Bridge enables administrators to create, update, and delete access control lists using the Data Bridge API or controls in Admin Center.

The Data Bridge ACL supports CIDR notation to define ranges of IP addresses using network prefixes and host identifiers. CIDR is a prefix-based standard for the representation of IP addresses and their routing properties. It facilitates routing by allowing blocks of addresses to be grouped into single routing table entries. These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses. A tenant administrator may specify up to 150 CIDR blocks.

Moody's RMS recommends that Data Bridge tenants configure their ACL to only accept connections from corporate IP addresses. Tenants should implement a VPN solution for users that need to connect to the Data Bridge cluster from remote locations. By default, no external IP addresses may connect the tenant's Data Bridge cluster. Tenant administrators may create an access control list in Admin Center. For step-by-step instructions, see Data Bridge User Guide.

The Data Bridge API defines services that enable administrators to view, edit, or overwrite the tenant's access control list.

View access control list

The Get IP addresses service enables administrators to view the IP addresses that are allowed to access the tenant's Data Bridge cluster.

A successful response returns an array routing table entries. Each entry returns a CIDR block that identifies a range of IP addresses and, if specified, a comment that documents the CIDR block.

[
  {
    "cidrBlock": "140.177.XXX.123/32",
    "comment": "HomeNet"
  },
  {
    "cidrBlock": "98.169.XXX.11/32",
    "comment": "CorpNet"
  }
]

Add entry to access control list

The Add to Data Bridge ACL service enables administrators to add a new CIDR entry to an existing Data Bridge access control list.

The request body specifies a single cidrEntry object:

{
  "cidrEntry": {
    "cidrBlock": "140.177.XXX.112/32",
    "comment": "HomeNetNew"
  }
}

The cidrBlock attribute specifies a range of IP addresses. Computers with IP addresses within the CIDR block may access the tenant’s Data Bridge SQL Server instance. The optional comment attribute enables you to document the CIDR block.

Edit access control lists

The Edit access control lists service (PATCH /databridge/v1/cluster/allowed-ips) enables administrators to edit the access control list by adding or removing CIDR blocks.

The request body may add or remove entries using the addCidrEntries and removeCidrEntries arrays.

"addCidrEntries": [
    {
        "cidrBlock": "140.177.XXX.112/32",
        "comment": "HomeNetNew"
    }
  ],
  "removeCidrEntries": [
    {
        "cidrBlock": "98.169.XXX.13/32",
        "comment": "CorpNetNew"
    }
	] 
}

The request body specifies an addCidrEntries and a removeCidrEntries array:

  • The addCidrEntries object defines an array of entries to add to the access control list. Each entry consists of a cidrBlock attribute and a comment attribute.
  • The removeCidrEntries object defines an array of entries to remove from the access control list. Each entry consists of a cidrBlock attribute and a comment attribute.

Revoke access by CIDR block or IP address

The Data Bridge API provides administrators two ways to revoke access to the Data Bridge cluster.

The Delete IP address service enables administrators to remove a specific IP address from the ACL. The ipAddress path parameter specifies a single IP address using dotted decimal format:

curl --request DELETE \
		 --url https://api-euw1.rms.com/databridge/v1/Cluster/allowed-ips/140.177.XXX.112
     --header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXX'

Alternatively, the Delete range of IP addresses service enables administrators to delete an entire CIDR block from the access control list.

The service accepts two path parameters that together define a CIDR block of network addresses. The IpAddress path parameter defines the network prefix for a range of IP addresses in the CIDR block using the dotted decimal format. The subnetMask path parameter declares the total number of bits in the network address.

curl --request DELETE \
     --url https://api-euw1.rms.com/databridge/v1/Cluster/allowed-ips/140.177.XXX.112/32
     --header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXX'

Administer data encryption

Data Bridge uses Transport Layer Security (TLS) to manage connections between clients and managed SQL Server instances.

By default, Data Bridge is configured to support TLS 1.2 or newer. If you need to allow a lower level of encryption to support legacy applications, Data Bridge supports setting the minimum supported TLS version as 1.0, 1.1, or 1.2. Moody's RMS recommends the default setting of TLS 1.2.

Set Minimum TLS Version

The [Set TLS protocol] service (PUT /databridge/v1/Cluster/server-security) sets the minimum TLS protocol version on the cluster. The minTlsVersion attribute is specified in the request body.

{
  "minTlsVersion": "1.1"
}

Clients connecting to managed SQL Server instances must support the minimum version to connect to the Data Bridge cluster.