Manage access to the Airflow® cluster using the allowlist

This article explains how to allow users and applications only from specific IP addresses to access your Managed Apache Airflow® cluster by adding and managing allowlist entries.

An allowlist consists of single IP addresses and CIDR blocks that are allowed to connect to the cluster. Allowlists are also often referred to as access lists. By default, a cluster's allowlist contains the IP address that the cluster was created from.

About allowlist entries

On DoubleCloud, you can allow access to clusters to both single ID addresses and CIDR blocks.

You can add single IP addresses to the allowlist. By default, the address that the cluster was created from is included in the allowlist.

You can IP address ranges as CIDR blocks. For example, you can add the range of addresses from 192.168.0.1 to 192.168.0.255 by using a shorter CIDR notation of 192.168.0.1/24. In this example, 24 corresponds to the 255.255.255.0 netmask (or subnet mask).

The netmask value in a CIDR can be between 0 and 32 because an IPv4 address is 32 bits long.

To calculate the netmask, use the CIDR subnet calculator .

Add an allowlist entry

To add an IP address or a CIDR block to the allowlist, do the following:

  1. Go to the Clusters page in the console.

  2. Select the Airflow® cluster where you want to add an allowlist entry.

  3. Switch to the Allowlist tab.

  4. Click Edit.

  5. In the dialog, click Add item.

    Screenshot of the allowlist editing dialog

  6. In IP address or CIDR, enter a single IP address or a CIDR block.

    CIDR blocks have the <ip-address>/<netmask> format. To calculate the netmask, use the CIDR Subnet calculator .

  7. (Optional) Enter a description of the IP address or CIDR block.

  8. Click Save.

Remove access restrictions

Warning

Removing access restrictions opens your Airflow® cluster to any outside connection and may cause security issues. Only do that if it's absolutely necessary.

To remove access restrictions in your Airflow® cluster and allow connections from any IP address, take the following steps:

  1. Go to the Clusters page in the console.

  2. Select the Airflow® cluster where you want to remove access restrictions.

  3. Switch to the Allowlist tab.

  4. Click Edit.

  5. In the dialog, click Add item.

  6. In IP address or CIDR, enter 0.0.0.0/0 to allow all connections via IPv4 or ::/0 for IPv6.

  7. (Optional) Enter a description.

  8. Click Save

Edit an allowlist entry

  1. Go to the Clusters page in the console.

  2. Select the cluster where you want to edit allowlist entries.

  3. Switch to the Allowlist tab.

  4. Click Edit.

  5. In the dialog, edit the allowlist entries and their descriptions.

    To calculate the netmask in CIDR blocks, use the CIDR Subnet calculator .

  6. Click Save.

Delete an allowlist entry

  1. Go to the Clusters page in the console.

  2. Select the cluster where you want to delete allowlist entries.

  3. Switch to the Allowlist tab.

  4. Click Edit.

  5. In the dialog, find the entry you want to remove and click ![bin icon](../../_assets/bin.svg "the bin icon) next to it.

  6. Click Save.