Manage network policies
To enable this feature in your Materialize region, contact our team.
By default, Materialize is available on the public internet without any network-layer access control. As an administrator of a Materialize organization, you can configure network policies to restrict access to a Materialize region using IP-based rules.
Create a network policy
To create a new network policy, use the CREATE NETWORK POLICY
statement to provide a list of rules for allowed ingress traffic.
CREATE NETWORK POLICY office_access_policy (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
)
);
Alter a network policy
To alter an existing network policy, use the ALTER NETWORK POLICY
statement. Changes to a network policy will only affect new connections
and will not terminate active connections.
ALTER NETWORK POLICY office_access_policy SET (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32'),
boston (action='allow',direction='ingress',address='4.5.6.7/32')
)
);
Lockout prevention
To prevent lockout, the IP of the active user is validated against the policy changes requested. This prevents users from modifying network policies in a way that could lock them out of the system.
Drop a network policy
To drop an existing network policy, use the DROP NETWORK POLICY statement.
DROP NETWORK POLICY office_access_policy;
To drop the pre-installed default network policy (or the network policy
subsequently set as default), you must first set a new system default using
the ALTER SYSTEM SET network_policy statement.