LaserData Cloud
Networking

Access Rules

IP-based access control for deployment endpoints across all cloud providers

Access rules control which IP addresses and CIDR ranges can reach your deployment endpoints. Every deployment starts fully isolated by default — no traffic is allowed until you explicitly create an access rule. This includes LaserData itself — our control plane orchestrates infrastructure but has no network access to your deployment endpoints or data.

You are in full control of who can reach your deployment. Nothing is open until you say so.

Available on all deployment models (Managed, BYOC, On-Premise) and all plans.

Why Access Rules

When you provision a deployment, it has zero network access configured — no IP, no port, no protocol is reachable by anyone. Clients cannot connect to any endpoint until you explicitly allow traffic. Access rules let you:

  • Restrict access to known office or VPN IP ranges
  • Open specific protocols (e.g. TCP for applications, HTTP for monitoring) independently
  • Grant temporary access with automatic expiry — useful for contractors or debugging sessions
  • Keep the Console UI accessible only from trusted networks

Concepts

Protocol Rules

Each access rule specifies which protocols to open for the allowed CIDR blocks. You can enable any combination:

ProtocolWhat It Opens
Iggy HTTPIggy HTTP API endpoint
Iggy TCPIggy TCP transport
Iggy WebSocketIggy WebSocket transport
Iggy UDPIggy QUIC/UDP transport
Console HTTPConsole web UI (ports 80 and 443)

There is no "allow all" default — you must explicitly select which protocols to permit. If no protocols are enabled, no ports are opened even if CIDR blocks are defined.

CIDR Blocks

Each rule requires at least one IPv4 CIDR block:

  • Single host: 203.0.113.5/32
  • Subnet: 10.0.0.0/16
  • All IPs: 0.0.0.0/0 (opens the selected protocols to the entire internet)
  • Subnet mask must be between /0 and /32

Rule Expiry

You can set an optional expiration date on any rule. Once expired, the rule is no longer enforced and traffic from those CIDRs is blocked again. This is useful for temporary access — for example, granting a partner access for 30 days without needing to remember to clean it up.

Creating an Access Rule

From the Console

  1. Navigate to your deployment and open the Access Rules tab
  2. Click Add Rule
  3. Enter a name for the rule (must be unique within the deployment)
  4. Add one or more CIDR blocks — your IP ranges
  5. Select the protocols you want to allow (Iggy TCP, HTTP, WebSocket, UDP, Console HTTP)
  6. Optionally set an expiration date
  7. Add optional remarks for context
  8. Click Create

LaserData automatically configures the underlying cloud infrastructure (security groups on AWS, firewall rules on other providers) to permit the specified traffic.

Validation

When creating a rule, the platform validates:

  • Name must be unique within the deployment (case-insensitive)
  • CIDR blocks must be valid IPv4 CIDR notation with at least one entry
  • Expiry, if set, must be a future timestamp
  • The deployment must not have reached its plan's access rule limit

Managing Access Rules

From the Access Rules tab you can view all active rules with their CIDR blocks, enabled protocols, expiry status, and creation timestamps. Rules can be deleted individually — this removes both the rule and the corresponding cloud infrastructure configuration.

Plan Limits

ResourceBasicProEnterprise
Access rules per deployment31020

Audit

All access rule operations are recorded in the audit log:

  • Rule created — who created it, which CIDRs and protocols
  • Rule updated — what changed, previous values preserved
  • Rule deleted — who removed it and when

API Reference

For programmatic access via API keys, the following endpoints are available.

Required permission: DeploymentAccessRulesManage (create, delete) or DeploymentAccessRulesRead (list)

Create a Rule

curl -X POST {supervisor_url}/deployments/{deployment_id}/access_rules \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-api-access",
    "ingress": true,
    "cidr_blocks": ["10.0.0.0/16", "172.16.0.0/12"],
    "rules": {
      "iggy_tcp": true,
      "iggy_http": true
    },
    "valid_to": "2026-12-31T23:59:59Z",
    "remarks": "Production API servers"
  }'

List Rules

curl {supervisor_url}/deployments/{deployment_id}/access_rules \
  -H "ld-api-key: YOUR_API_KEY"
[
  {
    "id": 1,
    "ingress": true,
    "name": "production-api-access",
    "remarks": "Production API servers",
    "rules": {
      "iggy_http": true,
      "iggy_tcp": true,
      "iggy_websocket": false,
      "iggy_udp": false,
      "console_http": false,
      "all_traffic": false
    },
    "cidr_blocks": ["10.0.0.0/16", "172.16.0.0/12"],
    "valid_to": "2026-12-31T23:59:59Z",
    "created_at": "2025-01-15T10:30:00Z"
  }
]

Delete a Rule

curl -X DELETE {supervisor_url}/deployments/{deployment_id}/access_rules/{rule_id} \
  -H "ld-api-key: YOUR_API_KEY"

Networking Overview

VPC Peering

PrivateLink

Networking Overview

Network connectivity options for LaserData Cloud deployments

VPC Peering

Private network connectivity between your AWS VPC and a LaserData Managed deployment

On this page

Why Access RulesConceptsProtocol RulesCIDR BlocksRule ExpiryCreating an Access RuleFrom the ConsoleValidationManaging Access RulesPlan LimitsAuditAPI ReferenceCreate a RuleList RulesDelete a Rule