Manage network policies

💡 Tip: We recommend using Terraform to configure and manage network policies.

By default, Materialize is available on the public internet without any network-layer access control. As an administrator of a Materialize organization, you can configure network policies to restrict access to a Materialize region using IP-based rules.

Create a network policy

NOTE: Network policies are applied globally (i.e., at the region level) and rules can only be configured for ingress traffic. In the future, we plan to support role- and object-level network policies, as well as egress network policies.

To create a new network policy, use the CREATE NETWORK POLICY statement to provide a list of rules for allowed ingress traffic.

CREATE NETWORK POLICY office_access_policy (
  RULES (
    new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
    minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
  )
);

Alter a network policy

To alter an existing network policy, use the ALTER NETWORK POLICY statement. Changes to a network policy will only affect new connections and will not terminate active connections.

ALTER NETWORK POLICY office_access_policy SET (
  RULES (
    new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
    minnesota (action='allow',direction='ingress',address='2.3.4.5/32'),
    boston (action='allow',direction='ingress',address='4.5.6.7/32')
  )
);

Lockout prevention

To prevent lockout, the IP of the active user is validated against the policy changes requested. This prevents users from modifying network policies in a way that could lock them out of the system.

Drop a network policy

To drop an existing network policy, use the DROP NETWORK POLICY statement.

DROP NETWORK POLICY office_access_policy;

To drop the pre-installed default network policy (or the network policy subsequently set as default), you must first set a new system default using the ALTER SYSTEM SET network_policy statement.