Administer Cluster Security

Administer cluster security using access control lists

Overview

A Data Bridge cluster is a collection of managed SQL Server instances that a tenant may use to store and manage exposure data, results data, and custom data.

Data Bridge provides several mechanisms for securing data within the tenant's Data Bridge cluster. Whereas groups define access rights to data within server instances and databases, access to the Data Bridge cluster itself is managed by means of means of Transport Data Layer (TLS) data encryption and access control lists.

Cluster-level administrative operations may be performed by Intelligent Risk tenant administrators using controls in Admin Center or Data Bridge API services. Data Bridge contributors and consumers cannot administrate cluster-level security.

Administer access control lists

Data Bridge enables administrators to create, update, and delete access control lists using the Data Bridge API or controls in Admin Center.

An access control list (ACL) is a routing table that controls access a network. The Data Bridge ACL is a standard ACL that restricts incoming traffic to a tenant's Data Bridge cluster by blocking communications from unauthorized IP addresses.

The Data Bridge ACL supports CIDR notation to define ranges of IP addresses using network prefixes and host identifiers. CIDR is a prefix-based standard for the representation of IP addresses and their routing properties. It facilitates routing by allowing blocks of addresses to be grouped into single routing table entries. These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses.

RMS recommends that Data Bridge tenants configure their ACL to only accept connections from corporate IP addresses. Tenants should implement a VPN solution for users that need to connect to the Data Bridge cluster from remote locations. By default, no external IP addresses may connect the tenant's Data Bridge cluster. Tenant administrators may create an access control list in Admin Center. For step-by-step instructions, see Data Bridge User Guide.

The Data Bridge API defines services that enable administrators to view, edit, or overwrite the tenant's access control list.

View access control list

The Get IP addresses service enables administrators to view the IP addresses that are allowed to access the tenant's Data Bridge cluster.

A successful response returns an array routing table entries. Each entry returns a CIDR block that identifies a range of IP addresses and, if specified, a comment that documents the CIDR block.

[
  {
    "cidrBlock": "140.177.XXX.123/32",
    "comment": "HomeNet"
  },
  {
    "cidrBlock": "98.169.XXX.11/32",
    "comment": "CorpNet"
  }
]

Add entry to access control list

The Add to Data Bridge ACL service enables administrators to add a new CIDR entry to an existing Data Bridge access control list.

The request body specifies a single cidrEntry object:

{
  "cidrEntry": {
    "cidrBlock": "140.177.XXX.112/32",
    "comment": "HomeNetNew"
  }
}

The cidrBlock attribute specifies a range of IP addresses. Computers with IP addresses within the CIDR block may access the tenant’s Data Bridge SQL Server instance. The optional comment attribute enables you to document the CIDR block.

Edit access control lists

The Edit access control lists service (PATCH /databridge/v1/cluster/allowed-ips) enables administrators to edit the access control list by adding or removing CIDR blocks.

The request body may add or remove entries using the addCidrEntries and removeCidrEntries arrays.

"addCidrEntries": [
    {
        "cidrBlock": "140.177.XXX.112/32",
        "comment": "HomeNetNew"
    }
  ],
  "removeCidrEntries": [
    {
        "cidrBlock": "98.169.XXX.13/32",
        "comment": "CorpNetNew"
    }
    ] 
}

The request body specifies an addCidrEntries and a removeCidrEntries array:

  • The addCidrEntries object defines an array of entries to add to the access control list. Each entry consists of a cidrBlock attribute and a comment attribute.
  • The removeCidrEntries object defines an array of entries to remove from the access control list. Each entry consists of a cidrBlock attribute and a comment attribute.

Revoke access by CIDR block or IP address

The Data Bridge API provides administrators two ways to revoke access to the Data Bridge cluster.

The Delete IP address service enables administrators to remove a specific IP address from the ACL. The ipAddress path parameter specifies a single IP address using dotted decimal format:

curl --request DELETE \
         --url https://api-euw1.rms.com/databridge/v1/Cluster/allowed-ips/140.177.XXX.112
     --header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXX'

Alternatively, the Delete range of IP addresses service enables administrators to delete an entire CIDR block from the access control list.

The service accepts two path parameters that together define a CIDR block of network addresses. The IpAddress path parameter defines the network prefix for a range of IP addresses in the CIDR block using the dotted decimal format. The subnetMask path parameter declares the total number of bits in the network address.

curl --request DELETE \
     --url https://api-euw1.rms.com/databridge/v1/Cluster/allowed-ips/140.177.XXX.112/32
     --header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXX'

Administer data encryption

Data Bridge uses Transport Layer Security (TLS) to manage connections between clients and managed SQL Server instances.

By default, Data Bridge is configured to support TLS 1.2 or newer. If you need to allow a lower level of encryption to support legacy applications, Data Bridge supports setting the minimum supported TLS version as 1.0, 1.1, or 1.2. RMS recommends the default setting of TLS 1.2.

Set Minimum TLS Version

The [Set TLS protocol] service (PUT /databridge/v1/Cluster/server-security) sets the minimum TLS protocol version on the cluster. The minTlsVersion attribute is specified in the request body.

{
  "minTlsVersion": "1.1"
}

Clients connecting to managed SQL Server instances must support the minimum version to connect to the Data Bridge cluster.


Did this page help you?