Learn about creating and managing network policies for Firebolt.
By default, Firebolt accepts traffic from any IP address. As an additional layer of security, you can configure individual Firebolt logins or service accounts so their traffic must originate only from the IP addresses that you specify. For each configuration (network policy), you specify a list of IP addresses from which traffic is allowed (the allow list) and a list of IP addresses from which traffic is denied (the blocked list). A network policy is a collection of allowed and blocked lists of IP addresses.
Network policies can be configured on the organization level and also per login or service account. When evaluating a network policy, Firebolt validates the login/service account IP addresses first by the policy set at organization level. If there is no network policy on the organization level (or the organization-level network policy does not allow access), then the network policy is validated at the login/service account level. If a network policy does not allow access, the user will receive a 401 Unauthorized
response.
The IP allow and blocked lists used to specify a network policy are specified as comma-separated IPv4 addresses and/or IPv4 address ranges in CIDR format. You can apply the same list to one or many users, and each user can have unique lists. You can specify lists manually or import lists of addresses and ranges from a CSV file saved locally. You can add, edit or delete network policies using SQL or in the UI.
To view all network policies, click Configure to open the configure space, then choose Network policies from the menu, or query the information_schema.network_policies view.
Managing network policies requires the org_admin role.
To create a network policy using SQL, use the CREATE NETWORK POLICY statement. For example:
To create a network policy via the UI:
For each user, the Allowed IPs and Blocked IPs are updated to reflect the total number of IP addresses from each list that you specified for that user. Network policies created in UI are automatically attached to the organization to which the policy creator is logged in.
When a network policy is created in UI, it is automatically attached to an organization the creator is logged in to. However, to attach (or detach) a network policy, you can use the command ALTER ORGANIZATION. For example:
or to detach:
To attach/detach a network policy to an organization via the UI:
To edit a network policy using SQL, use the ALTER NETWORK POLICY statement. For example:
To edit a network policy via the UI:
To delete a network policy using SQL, use the DROP NETWORK POLICY statement. For example:
To delete a network policy via the UI: