Implementing IP address whitelists
- Last Updated: April 11, 2025
- 3 minute read
- Hybrid Data Pipeline
- Version 4.6
- Documentation
Administrators can secure access to Hybrid Data Pipeline resources by implementing IP address whitelists. When an IP address whitelist is enabled for a resource, any user attempting to reach the resource from an invalid IP address will be denied access, and a 403 access-denied error will be returned.
By default, the ability to set up a whitelist is enabled on the server with an empty list. This allows all IP addresses to connect to the Hybrid Data Pipeline server. Once IP addresses have been added to a whitelist, only the IP addresses on the whitelist will have access to the server (effectively disabling connectivity from any IP address not on the whitelist). As a result, any new IP addresses that need access to the server will always need to be added to the whitelist from that point forward.
Access to the following resources can be managed with IP address whitelists.
- Management API
- Administrators API
- Data access (ODBC, JDBC, and OData)
- Web UI access (system level only)
IP address whitelists may be applied at the system level, tenant level, user level, or some combination of these levels. The following protocols are applied when IP address whitelists are implemented.
- When an IP address whitelist is set at the system level, users across the system must access the given resource from an IP address or range of IP addresses specified in the whitelist.
- When an IP address whitelist is set at the tenant level, users who reside in the tenant must access the resource from an IP address or range of IP addresses specified in the whitelist.
- When an IP address whitelist is set at the user level, the specified user must access the resource from an IP address or range of IP addresses specified in the whitelist.
- When an IP address whitelist is set at multiple levels for a given resource, Hybrid Data Pipeline first checks the system level, then the tenant level, and then the user level. If any check fails, the user is denied access.
- Web UI access may only be set at the system level.
- IP address whitelist restrictions do not apply when resources are accessed from a local host.
- In the event that an IP address whitelist implementation
inadvertently prevents administrators from using Hybrid Data Pipeline, an
administrator can bypass the whitelist by accessing the service directly
from any machine hosting the service. First, the administrator must have
access privileges to the host machine. Next, the administrator can access
the service from a host machine by replacing the servername in the Hybrid Data Pipeline URL with
localhost,127.0.0.1, or::1. Then, the administrator can disable the IP address whitelist feature or update the implementation as desired.
Depending on the level at which IP address whitelists are being implemented, an administrator must have certain permissions.
- An administrator with the Administrator (12) permission can implement and create whitelists for all resources at the system, tenant, and user levels.
- An administrator with the following permissions can create whitelists for resources at the tenant level: the MgmtAPI (11) permission, the IPWhiteList (29) permission, and administrative access to the tenant.
- An administrator with the following permissions can create whitelists for resources at the user level: the MgmtAPI (11) permission, the IPWhitelist (29) permission, and administrative access to the tenant to which the user belongs.
- An administrator who does not have the Administrator (12) permission, but wants to use the Web UI to apply IP address whitelists, must have the WebUI (8) permission.
IP address whitelists can be configured through the Web UI or the Hybrid Data Pipeline API.