Table: ibm_is_network_acl - Query IBM Cloud Network ACLs using SQL
A Network ACL in IBM Cloud is a set of rules that control the inbound and outbound traffic for your virtual server instances and subnets. These rules act as a firewall at the subnet level, providing a security layer for your resources in the VPC. Network ACLs are stateless, meaning they evaluate each packet in isolation, without considering any related packets or the connection state.
Table Usage Guide
The ibm_is_network_acl
table provides insights into Network ACLs within IBM Cloud. As a network administrator or security analyst, explore ACL-specific details through this table, including rule actions, directions, and associated metadata. Utilize it to uncover information about ACLs, such as those with specific access rules, the direction of the rules (inbound or outbound), and the verification of rule priorities.
Examples
Basic info
Explore which network access control lists (ACLs) are associated with your IBM Cloud resources. This can help you manage access permissions, ensuring secure and efficient operations across your network.
select name, crn, vpc ->> 'name' as vpc_name, region, account_idfrom ibm_is_network_acl;
select name, crn, json_extract(vpc, '$.name') as vpc_name, region, account_idfrom ibm_is_network_acl;
List the default NACL associated with the VPCs
Determine the areas in which the default Network Access Control List (NACL) is associated with Virtual Private Clouds (VPCs). This query is beneficial to understand the security and networking configuration within your cloud environment.
select acl.name, acl.crn, vpc.name as vpc_name, acl.region, acl.account_idfrom ibm_is_network_acl as acl, ibm_is_vpc as vpcwhere acl.id = vpc.default_network_acl ->> 'id';
select acl.name, acl.crn, vpc.name as vpc_name, acl.region, acl.account_idfrom ibm_is_network_acl as acl, ibm_is_vpc as vpcwhere acl.id = json_extract(vpc.default_network_acl, '$.id');
Subnet associated with each network ACL
Explore which subnets are associated with each network ACL. This can help in network management by providing insights into the configuration and relationship between subnets and network ACLs.
select name, crn, vpc ->> 'name' as vpc_name, subnet ->> 'id' as subnet_id, subnet ->> 'name' as subnet_name, region, account_idfrom ibm_is_network_acl, jsonb_array_elements(subnets) as subnet;
select name, crn, json_extract(vpc, '$.name') as vpc_name, json_extract(subnet.value, '$.id') as subnet_id, json_extract(subnet.value, '$.name') as subnet_name, region, account_idfrom ibm_is_network_acl, json_each(subnets) as subnet;
Control examples
Schema for ibm_is_network_acl
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The ID fof the account. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
created_at | timestamp with time zone | The date and time that the network ACL was created. | |
crn | text | The CRN for this network ACL. | |
href | text | The URL for this network ACL. | |
id | text | = | The unique identifier for this network ACL |
name | text | The user-defined name for this network ACL. | |
region | text | The region of this subnet. | |
resource_group | jsonb | The resource group for this network ACL. | |
rules | jsonb | The ordered rules for this network ACL. If no rules exist, all traffic will be denied. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subnets | jsonb | The subnets to which this network ACL is attached. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
vpc | jsonb | he VPC this network ACL is a part of. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm
You can pass the configuration to the command with the --config
argument:
steampipe_export_ibm --config '<your_config>' ibm_is_network_acl