Network policies are used to control the network access to your ByteHouse. A network policy consists of both an allowed CIDR list and a blocked CIDR list and is identified by a unique and customizable policy name. Network policies are enforced on every user action once activated.
Network policies are managed at an account level in ByteHouse. Currently, only account admin can access the "Network Policies" Management page to manipulate the network policies.
You can follow the steps illustrated in the figure below to create a new network policy. An account can have at most 10 network policies.
Both "Allowed Network" and "Blocked Network" fields require either CIDR blocks or IPv4 addresses. Examples are: "0.0.0.0/0", "10.24.0.0/16", or "22.214.171.124".
An account can activate at most 1 network policy at a time. You can activate a new network policy by checking the "Activate this policy" flag in the form. Or you toggle the status switch in the network policy list as shown below.
The diagram below can illustrate can help for a better understanding of the IP filtering mechanism:
Please take note that after activating a new network policy, all existing connections from web console will be interrupted immediately, and connections from CLI, and programmatical access will be dropped within 10 minutes. If you are blocked out accidentally, please contact our support team.
[Hint: 0.0.0.0/0 is a CIDR block representing all IPv4 addresses, while 0.0.0.0 only represents a specific IPv4 address. You can use 0.0.0.0/0 in Allowed List to allow all IP addresses.]
There are cases where a network policy ceases to take effect:
Network policy is deleted.
Network policy is manually switched off.
Another network policy is activated.
Updated about 1 year ago