Configure Source IP Ranges for Your VMware Cloud Director Instance

You can restrict the access to a VMware Cloud Director instance by configuring a list of source IP addresses and CIDR blocks to have access to it.

When you configure a list of allowed IP addresses for a VMware Cloud Director instance, they obtain exclusive access to the instance. For all other IP addresses, access to the VMware Cloud Director instance is denied. If you attempt to access the instance from an IP address that is not in the list, this results in a 403 Forbidden error.

Prerequisites

  • Verify that you are assigned the Provider Administrator role.
  • Obtain an API token from the organization you want to manage and exchange it for an access bearer token. Use the bearer token in the Authorization header when you run API calls. See How Do I Generate an API Token.

Procedure

  1. To view the source IP addresses that are already configured and have inbound access to the VMware Cloud Director instances in your environment, run a GET request. 
    GET https://operatorUrl/environment/environmentUrn/instances?include=allowedSourceIps
    The response returns information about the VMware Cloud Director instances in your environment that includes a list of the source IP addresses have access to each instance.
  2. To configure IP addresses with access to the VMware Cloud Director instance, prepare a JSON template with the IP addresses or CIDR blocks. 
    { "allowedSourceAddresses": "IP-address",
"deniedSourceAddresses":""}
    Note: Leave the value for the deniedSourceAddresses attribute empty.
  3. Run a POST request with the contents of the JSON template in the body of the request. 
    POST https://operatorUrl/environment/environmentUrn/instances/instanceUrn/operations/configureSourceRanges

    Here operatorUrl is the operator URL, for example vcdc-operator-prod-us-west-2.vdp.vmware.com.

Example: Configure an IP address to access your VMware Cloud Director instance

This example configures one IP address with access to a VMware Cloud Director instance.

POST https://vcdc-operator-prod-us-west-2.vdp.vmware.com/environments/urn:vcdc:environment:00000000-0000-0000-0000-00000000000/instances/urn:vcdc:vcdInstance:22222222-2222-2222-2222-222222222222/operations/configureSourceRanges
Use the bearer token in the Authorization header of the request. 
Authorization: 
Bearer eyJh…I1NiIs
Enter the required information in the POST request. Leave the value for the deniedSourceAddresses attribute empty.
{ "allowedSourceAddresses": "41.9.03.192",
"deniedSourceAddresses":""}
The response returns the following details about the instance and the access to it.
{ "id": "urn:vcdc:task:22222222-2222-2222-2222-22222222222",
"name": "Configure source IP ranges", 
"entityId": "urn:vcdc:vcdInstance:33333333-3333-3333-3333-33333333333", 
"entityName": "VMware-Cloud-Director-test", 
"ownerId": "urn:vcdc:organization:12345678-1234-1234-1234-123456789abc", 
"userId": "[email protected]", 
"cspUserId": "vmware.com:87654321-4321-1234-4321-987654321abc", 
"steps": null, 
"status": "IN_PROGRESS", 
"startTime": null, 
"endTime": null, 
"queuedTime": "2023-04-04T05:32:42.050046427Z", 
"message": "Configure source IP ranges.", 
"isolation": "ENTITY_EXCLUSIVE", 
"output": null, 
"activity": "activity://com.vmware.vcdc.coordinator.domain.activity.ManageCdiIngressAnnotationsActivity/87654321-4321-1234-4321-987654321abc/CONFIGURE_SOURCE_RANGES/12345678912345"}