Cloud Client IP Restrictions Docs #62478
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| --- | ||
| title: Cloud Client IP Restrictions | ||
| description: Restrict access to your cloud cluster with a configurable allowlist. | ||
| tags: | ||
| - faq | ||
| - platform-wide | ||
| --- | ||
|
|
||
| **Client IP Restrictions** restrict access to your Teleport Cloud cluster, allowing traffic only from the specified network ranges (CIDR blocks). | ||
|
|
||
| ## How to enable | ||
| This feature is only available to Teleport Cloud customers and is opt-in only. Please contact your account executive or [customer support](https://goteleport.com/support/) to enable client IP restrictions for your tenant. | ||
|
|
||
| ## Adding CIDR blocks to the IP Allowlist | ||
|
|
||
| Log in to your Teleport Cloud account. Open the user dropdown menu on the top right of the navigation bar, and select "Help & Support," then scroll down until you see the IP Allowlist section. | ||
|
logand22 marked this conversation as resolved.
|
||
| If you do not see the IP Allowlist section, then it has yet to be enabled for your account. Please refer to [how to enable](#how-to-enable). | ||
|
|
||
| Once you add a CIDR, it will take effect in 5-20 minutes and will terminate existing connections. Changes to the allowlist are recorded in the audit log. | ||
|
|
||
| Managing allow rules is governed by Teleport’s existing RBAC system. | ||
| The preset `editor` role has permissions to read and write the allowlist. | ||
|
|
||
| You can also create custom roles granting access via the `client_ip_restriction` | ||
| resource. | ||
|
|
||
| ```yaml | ||
| allow: | ||
| - resources: [ client_ip_restriction ] | ||
| verbs: | ||
| # list is required to view the allowlist | ||
| - list | ||
| # create and update are required to modify the allowlist | ||
| - create | ||
| - update | ||
| ``` | ||
|
|
||
| ## Limitations | ||
|
|
||
| ### Misconfiguration | ||
| Misconfiguration can block all access to your cluster. Make sure to include your current network before saving changes. | ||
|
Collaborator
There was a problem hiding this comment. I can almost guarantee someone will lock themselves out. Do we have anything on the roadmap to address this footgun? Most systems with a feature like this will prevent you from blocking your own IP (or at least warn you first).
Contributor
Author
There was a problem hiding this comment. We have an internal issue tracking additional improvements. https://github.com/gravitational/cloud/issues/15181 Unsure of the priority at this time. |
||
|
|
||
| ### Third-party service ranges | ||
| Teleport does not auto-add third-party service ranges. You must add allow rules for any third party service that needs to access your Teleport cluster (CI/CD systems, Identity Providers, etc.) | ||
|
|
||
| ### Network security | ||
| The allowlist applies to Teleport Cloud access; it does not replace your organization’s network/firewall policies. | ||
|
|
||
| ### Sync time | ||
| The Client IP Restriction allowlist may take up to 20 minutes before it is fully synced. | ||
|
|
||
| ## FAQ | ||
|
|
||
| ### How many CIDRs can you configure? | ||
|
|
||
| By default, up to 256 CIDR blocks can be configured. Please contact your account executive or customer support to increase the limit. | ||
|
|
||
| ### Do you support a denylist? | ||
|
|
||
| Teleport Cloud client IP restrictions do not currently support a denylist. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a cloud tag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I know of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could start one. We only just started the tags late last quarter, so the current set isn't exhaustive.