create-network-policy.md 2.8 KB
title: "CREATE NETWORK POLICY"
description: "CREATE NETWORK POLICY creates a network policy that restricts access to a Materialize region using IP-based rules."
menu:
main:
parent: commands
CREATE NETWORK POLICY creates a network policy that restricts access to a
Materialize region using IP-based rules. Network policies are part of
Materialize's framework for access control.
Syntax
{{< diagram "create-network-policy.svg" >}}
network_policy_rule
{{< diagram "network-policy-rule.svg" >}}
Field |
Value | Description |
|---|---|---|
| name | text |
A name for the network policy. |
RULES |
text[] |
A comma-separated list of network policy rules. |
Network policy rule options
Field |
Value | Description |
|---|---|---|
| name | text |
A name for the network policy rule. |
ACTION |
text |
The action to take for this rule. ALLOW is the only valid option. |
DIRECTION |
text |
The direction of traffic the rule applies to. INGRESS is the only valid option. |
ADDRESS |
text |
The Classless Inter-Domain Routing (CIDR) block the rule will be applied to. |
Details
Pre-installed network policy
When you enable a Materialize region, a default network policy named default
will be pre-installed. This policy has a wide open ingress rule allow
0.0.0.0/0. You can modify or drop this network policy at any time.
{{< note >}}
The default value for the network_policy session parameter is default.
Before dropping the default network policy, a superuser (i.e. Organization
Admin) must run ALTER SYSTEM SET network_policy to
change the default value.
{{< /note >}}
Privileges
The privileges required to execute this statement are:
{{< include-md file="shared-content/sql-command-privileges/create-network-policy.md" >}}
Examples
CREATE NETWORK POLICY office_access_policy (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
)
);
ALTER SYSTEM SET network_policy = office_access_policy;