steampipe plugin install ibm

Table: ibm_is_network_acl - Query IBM Cloud Network ACLs using SQL

A Network ACL in IBM Cloud is a set of rules that control the inbound and outbound traffic for your virtual server instances and subnets. These rules act as a firewall at the subnet level, providing a security layer for your resources in the VPC. Network ACLs are stateless, meaning they evaluate each packet in isolation, without considering any related packets or the connection state.

Table Usage Guide

The ibm_is_network_acl table provides insights into Network ACLs within IBM Cloud. As a network administrator or security analyst, explore ACL-specific details through this table, including rule actions, directions, and associated metadata. Utilize it to uncover information about ACLs, such as those with specific access rules, the direction of the rules (inbound or outbound), and the verification of rule priorities.

Examples

Basic info

Explore which network access control lists (ACLs) are associated with your IBM Cloud resources. This can help you manage access permissions, ensuring secure and efficient operations across your network.

select
name,
crn,
vpc ->> 'name' as vpc_name,
region,
account_id
from
ibm_is_network_acl;
select
name,
crn,
json_extract(vpc, '$.name') as vpc_name,
region,
account_id
from
ibm_is_network_acl;

List the default NACL associated with the VPCs

Determine the areas in which the default Network Access Control List (NACL) is associated with Virtual Private Clouds (VPCs). This query is beneficial to understand the security and networking configuration within your cloud environment.

select
acl.name,
acl.crn,
vpc.name as vpc_name,
acl.region,
acl.account_id
from
ibm_is_network_acl as acl,
ibm_is_vpc as vpc
where
acl.id = vpc.default_network_acl ->> 'id';
select
acl.name,
acl.crn,
vpc.name as vpc_name,
acl.region,
acl.account_id
from
ibm_is_network_acl as acl,
ibm_is_vpc as vpc
where
acl.id = json_extract(vpc.default_network_acl, '$.id');

Subnet associated with each network ACL

Explore which subnets are associated with each network ACL. This can help in network management by providing insights into the configuration and relationship between subnets and network ACLs.

select
name,
crn,
vpc ->> 'name' as vpc_name,
subnet ->> 'id' as subnet_id,
subnet ->> 'name' as subnet_name,
region,
account_id
from
ibm_is_network_acl,
jsonb_array_elements(subnets) as subnet;
select
name,
crn,
json_extract(vpc, '$.name') as vpc_name,
json_extract(subnet.value, '$.id') as subnet_id,
json_extract(subnet.value, '$.name') as subnet_name,
region,
account_id
from
ibm_is_network_acl,
json_each(subnets) as subnet;

Schema for ibm_is_network_acl

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The ID fof the account.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
created_attimestamp with time zoneThe date and time that the network ACL was created.
crntextThe CRN for this network ACL.
hreftextThe URL for this network ACL.
idtext=The unique identifier for this network ACL
nametextThe user-defined name for this network ACL.
regiontextThe region of this subnet.
resource_groupjsonbThe resource group for this network ACL.
rulesjsonbThe ordered rules for this network ACL. If no rules exist, all traffic will be denied.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subnetsjsonbThe subnets to which this network ACL is attached.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
vpcjsonbhe VPC this network ACL is a part of.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm

You can pass the configuration to the command with the --config argument:

steampipe_export_ibm --config '<your_config>' ibm_is_network_acl