IP Allowlist for Services

Overview

Access to MariaDB SkySQL services is restricted on a per-service basis:

  • SkySQL services are firewall-protected

  • IPv4 addresses and IPv4 netblocks can be added to the service IP allowlist to enable service access

  • Access from other addresses will be blocked

A separate monitoring/analysis IP allowlist controls access to SkySQL Monitoring and Workload Analysis.

Compatibility

  • Distributed Transactions

  • Multi-Node Analytics

  • Replicated Transactions

  • Single Node Analytics

  • Single Node Transactions

Default

By default, the IP allowlist for services is empty.

Allowlist Maintenance

It is best practice to periodically review the allowlist, and to remove any addresses or netblocks that are confirmed as not in use and no longer valid.

Error for Blocked Connections

Attempts to connect to a SkySQL service from a blocked address results in an error:

$ mariadb --host example.skysql.net --port 5001 \
      --user db_user -p --ssl-ca skysql_chain.pem
ERROR 2002 (HY000): Can't connect to MySQL server on 'example.skysql.net' (115)

Supported Addresses

  • Addresses must be valid IPv4 addresses.

  • When adding an IPv4 CIDR block, the start IP address of the CIDR block must be specified.

Adding an IP Address

The service allowlist can be updated any time after the service has been launched, even while in "Pending" status.

To add to the service IP allowlist:

  1. Log in to MariaDB SkySQL. You will be on the "Your services" page.

  2. Identify the service to manage.

  3. Click on the "Service settings" gear icon (at right) for that service.

  4. Click on the "Security access" menu item.

  5. Add the desired IPv4 address or IPv4 netblock:

    • Enter the IPv4 address or netblock. For example, 192.0.2.1/32 or 198.51.100.0/24

    • Click on the "Add" button.

    • Repeat as needed.

  6. Alternatively, you can add your own IP address using the "Add my current ip address" link.

  7. Click on the "Done" button.

The interface will reflect the new allowlist settings immediately, but changes may take a few minutes to propagate to your server.

Deleting an IP Address from a Service's Allowlist

The service allowlist can be updated any time after the service has been launched, even while in "Pending" status.

To delete an address from the service IP allowlist:

  1. Log in to MariaDB SkySQL. You will be on the "Your services" page.

  2. Identify the service to manage.

  3. Click on the "Service settings" gear icon (at right) for that service.

  4. Click on the "Security access" menu item.

  5. Click on the "X" icon ("Remove Row") next to the entry to remove.

    • Repeat as needed.

  6. Click on the "Done" button.

The interface will reflect the new allowlist settings immediately, but changes may take a few minutes to propagate to your server.

Modifying an IP Address in a Service's Allowlist

The service allowlist can be updated any time after the service has been launched, even while in "Pending" status.

To modify an address on the service IP allowlist:

  1. Log in to MariaDB SkySQL. You will be on the "Your services" page.

  2. Identify the service to manage.

  3. Click on the "Service settings" gear icon (at right) for that service.

  4. Click on the "Security access" menu item.

  5. Click on the pencil icon ("Edit Row") next to the entry to modify.

    • Edit the entry as needed.

    • Click on the check mark icon ("Update Row").

    • Repeat as needed.

  6. Click on the "Done" button.

The interface will reflect the new allowlist settings immediately, but changes may take a few minutes to propagate to your server.