Skip to main content
Version: 10.3.0

Network Access Control

Network Access Control Overview

The Control Center includes a built-in network access control feature that allows you to restrict access based on IP addresses, HTTP methods, and URLs. This is particularly useful for implementing privileged access control and preventing unauthorized access to the Control Center.

Implementation Support

If you'd like to configure network access control rules, please reach out to your HYPR Solutions Architect and they will help you implement the appropriate configuration for your environment.

How Network Access Control Works

Access control rules are modeled on AWS WAF rules and consist of two main concepts: matchers and rules.

Matchers

Matchers contain conditions that specify the characteristics of web requests you want to evaluate. Available matchers include:

  • METHODS: Match HTTP methods (GET, POST, PUT, etc.)
  • URLS: Regex expression matching incoming URLs
  • IPBLOCKS: CIDR address matching incoming IP addresses

Rules

Rules decide the action to take on matched requests:

  • ALLOW: Permits the request (terminating rule)
  • DENY: Denies the request with 400 HTTP status (terminating rule)
  • COUNT: Logs the request without blocking (non-terminating rule)

Example Configurations

Here are some common use cases for network access control:

Restrict Access to Specific IP Ranges

Allow access only from your corporate network:

ALLOW(IPBLOCKS(192.168.1.0/24)) | DENY(URLS(.*))

Restrict HTTP Methods

Allow only GET and POST requests:

ALLOW(METHODS(GET,POST)) | DENY(URLS(.*))

Block Specific URL Patterns

Block access to administrative endpoints from external IPs:

ALLOW(IPBLOCKS(10.0.0.0/8)) | DENY(URLS(/admin/.*))

Testing Rules

A test API endpoint is available to validate rules before deployment:

curl -X POST "http://localhost:8009/cc/api/serverconfig/firewallrule/test" \
    -H "Authorization: Bearer {{apiToken}}" \
    -H "Content-Type: application/json" \
    -d "{
          \"rules\": [
            \"ALLOW( IPBLOCKS(192.168.1.0/24) )\",
            \"DENY( URLS(.*) )\"
          ],
          \"match\": {
            \"method\": \"GET\",
            \"url\": \"https://test.org/cc/ui/\",
            \"ip\": \"192.168.1.100\"
          }
        }"
Be Very Careful with DENY Rules

Configuring an incorrect DENY rule may block access for legitimate users. Always test your rules thoroughly before deploying them to production.

Best Practices

  • Start with COUNT rules to monitor traffic before implementing DENY rules
  • Test rules in a non-production environment first
  • Keep rules as simple as possible to avoid unintended consequences
  • Document your rules for future reference
  • Regularly review and update rules based on changing security requirements
Rule Order Matters

Rules are evaluated in order, and the first matching rule determines the action. Place more specific rules before general ones.