Private Preview: Network policies

important

Note: Because this feature is in Private Preview, you'll need to ping our team on Slack to get early access. 🖖

By default, Materialize is available over the public internet to any authenticated user. As an admin, you can configure granular access control to the resources in your Materialize region using role-based access control (RBAC) — but what about controlling access one level up, in the network layer?

To allow you to more easily comply with internal network security protocols, you can now configure network policies to restrict access to your Materialize region using IP-based rules. And, just like everything else in Materialize, you can do it in SQL!

-- Create a network policy that restricts access to Materialize from the range 
-- of IP addresses used in your company's offices. The network policy will 
-- apply globally to all users. 
CREATE NETWORK POLICY office_access_policy ( 
 RULES ( 
   new_york (action='allow', direction='ingress',address='1.2.3.4/28'), 
   minnesota (action='allow',direction='ingress',address='2.3.4.5/32') 
 ) 
); 

 
-- Document the scope of the network policy, because you're a good sport. 
COMMENT ON NETWORK POLICY office_access_policy IS 'Network policy for office locations 🔒'; 

 
-- List all network policies in the system. 
SHOW NETWORK POLICIES; 

 
| name                 | rules              | comment                                | 
| -------------------- | ------------------ | -------------------------------------- | 
| default              | open_ingress       |                                        | 
| office_access_policy | minnesota,new_york | Network policy for office locations 🔒 | 
 sql

If you're using Terraform to manage access control, you can configure network policies in an automated, source-controlled way using the Materialize Terraform provider (v0.8.11+). Here's how the example above would look like in Terraform:

resource "materialize_network_policy" "office_policy" { 
 name = "office_access_policy" 

 
 rule { 
   name      = "minnesota" 
   action    = "allow" 
   direction = "ingress" 
   address   = "2.3.4.5/32" 
 } 

 
 rule { 
   name      = "new_york" 
   action    = "allow" 
   direction = "ingress" 
   address   = "1.2.3.4/28" 
 } 

 
 comment = "Network policy for office locations 🔒" 
} 
 hcl

This is another step towards improving access control in Materialize! 🔒 In the future, we'll support role- and object-level network policies, as well as egress network policies. If you have feedback, or just opinions about access control, ping our team on Slack!

`1`	`-- Create a network policy that restricts access to Materialize from the range`
`2`	`-- of IP addresses used in your company's offices. The network policy will`
`3`	`-- apply globally to all users.`
`4`	`CREATE NETWORK POLICY office_access_policy (`
`5`	`RULES (`
`6`	`new_york (action='allow', direction='ingress',address='1.2.3.4/28'),`
`7`	`minnesota (action='allow',direction='ingress',address='2.3.4.5/32')`
`8`	`)`
`9`	`);`
`10`
`11`	`-- Document the scope of the network policy, because you're a good sport.`
`12`	`COMMENT ON NETWORK POLICY office_access_policy IS 'Network policy for office locations 🔒';`
`13`
`14`	`-- List all network policies in the system.`
`15`	`SHOW NETWORK POLICIES;`
`16`
`17`	`\| name \| rules \| comment \|`
`18`	`\| -------------------- \| ------------------ \| -------------------------------------- \|`
`19`	`\| default \| open_ingress \| \|`
`20`	`\| office_access_policy \| minnesota,new_york \| Network policy for office locations 🔒 \|`

`1`	`resource "materialize_network_policy" "office_policy" {`
`2`	`name = "office_access_policy"`
`3`
`4`	`rule {`
`5`	`name = "minnesota"`
`6`	`action = "allow"`
`7`	`direction = "ingress"`
`8`	`address = "2.3.4.5/32"`
`9`	`}`
`10`
`11`	`rule {`
`12`	`name = "new_york"`
`13`	`action = "allow"`
`14`	`direction = "ingress"`
`15`	`address = "1.2.3.4/28"`
`16`	`}`
`17`
`18`	`comment = "Network policy for office locations 🔒"`
`19`	`}`