Skip to main content
Version: v4.9

Network Shield

You can set Network Shield rules that limit who can connect to a repository based on where (source IP address) they're trying to connect from. You can scope each rule so that it applies to specific database users or to all database users. Likewise, you can create a rule that grants access to a specific database user, regardless of where they connect from.

info

Network Shield is supported only for Oracle and Microsoft SQL Server repositories.

You set location-based access rules in the Network Shield section of the Cyral control plane UI as explained in Add Network Shield rules for a repository, below.

For example, in the rules shown above:

  • the Finance rule allows people to connect to the mssqlserver database with the manager database account, provided they are connecting from source IP address 12.5.7.34, 192.158.1.38, or 19.117.63.47;
  • the View-only rule allows people to connect to the mssqlserver database with the viewer database account from anywhere;
  • the Test rule allows all Cyral-configured database accounts to connect to the mssqlserver database from the 192.168.1.34/16 subnet. For security, you would create an ANY DATABASE ACCOUNT rule only for subnets or addresses whose availability is limited to trusted staff.
tip

Q: What is a database account?

A: A database account is any database-native or cloud storage-native account used to connect to the repository.

Add Network Shield rules for a repository

Network Shield operates as an allowlist. To use Network Shield, you'll add a rule for each database user who can connect, specifying which addresses that user can connect from. Once your rules are in place, you'll enable Network Shield by toggling the setting Restrict access to this repository based on client IP to ON.

With Network Shield enabled, each connection attempt must match one of your rules, or it will be disallowed.

Add rules to the allowlist as shown below:

Prerequisites

Procedure

  1. Click Data Repos ➡️ click your repo's name ➡️ Network Shield.

  2. Click Add Rule

  3. In the Add Rule window, provide a Name and optional Description for the rule.

  4. In the Client IP section, add the allowlist of IP addresses that this rule allows client connections from.

    • Click Specify IPs
    • In the field that appears, add an IPv4 address.
      caution

      Make sure the allowed IP addresses in your Network Shield rules are also allowed by the database inbound rules of your deployed sidecar. For sidecars deployed via Terraform, see the notes on network access control to the sidecar instance.

    • If more addresses are needed, click Add IP and add them.
    • Click the 🗑️ (wastebasket icon) to remove unwanted addresses from this rule.
    tip

    You can create a rule that allows one or more database accounts to connect from anywhere. There are two ways to do this:

    • Don't add any IP addresses in the Client IP section; or
    • Specify 0.0.0.0/0 as the only IP address in the rule.
  5. In the Database Account section, specify who can connect from the addresses listed in this rule.

    • Click Specify Accounts
    • In the field that appears, add a database account name.
      info

      A database account is any native account that's used to connect to the database.

    • If more accounts will connect under this rule, click Add Account and add their names.
    • Repeat the preceding step to add more database accounts if needed.
    • Click the 🗑️ (wastebasket icon) to remove unwanted accounts from this rule.
    tip

    You can create a rule that allows any authorized user to connect from any of the addresses in this rule's allowlist. To do this:

    • Don't add any accounts in the Database Accounts section.
  6. Click Add Rule.

  7. Add additional rules for this repository if needed.

  8. If you wish to activate Network Shield for this repository now, toggle ON the option to Restrict access to this repository based on client IP. Once this setting is ON, Cyral enforces your rules. Any access attempt blocked by the rules will be noted in the Cyral logs.

Edit a Network Shield rule

  1. Click Data Repos ➡️ click your repo's name ➡️ Network Shield.

  2. Find your rule in the list, and click the three-dots icon on the right, and choose Edit to edit it.

  3. See Add Network Shield rules for a repository for details.

Delete a Network Shield rule

  1. Click Data Repos ➡️ click your repo's name ➡️ Network Shield.

  2. Find your rule in the list, and click the three-dots icon on the right, and choose Delete to delete it.

Turn on Network Shield for a repository

  1. Click Data Repos ➡️ click your repo's name ➡️ Network Shield.

  2. Make sure you've added Network Shield rules for the repository.

  3. Toggle ON the option to Restrict access to this repository based on client IP. Once this setting is ON, Cyral enforces your rules. Any access attempt blocked by the rules will be noted in the Cyral logs.

Turn off Network Shield for a repository

  1. Click Data Repos ➡️ click your repo's name ➡️ Network Shield.

  2. Toggle OFF the option to Restrict access to this repository based on client IP. Once you've made this change, authorized users can connect to this repository from any source IP address.