Responsibility for cybersecurity on the Nectar infrastructure at the University of Auckland is a partnership between you and the University. To reduce cybersecurity risk, and to protect the University and you from data breaches and reputational harm, we encourage you to only expose services - including database servers - to the entire internet that need to be available on the internet. Please open access to your database server to the entire internet only if you really need to. In many cases it should be sufficient to only open access to University of Auckland networks, or perhaps even your individual computer. |
The rest of this page describes how to limit access to your database servers.
The mechanism to limit access to your database servers depends on the way you launched them:
- Manually, by installing database server packages on your virtual machine
- Using the Nectar database service (https://dashboard.rc.nectar.org.au/project/databases/)
The following network ranges should be used to limit access to University of Auckland networks:
| UoA network ranges | Target connection |
|---|---|
| 130.216.0.0/16 | UoA wired networks |
| 10.0.0.0/8 | UoA VPN networks (and other private UoA networks) |
| 172.16.0.0/12 | UoA staff and student wireless networks (and other private UoA networks) |
| 192.168.0.0/16 | Other private UoA networks |
Manually installed database servers
If you install a database server manually, access will be configured through security groups. Use the UoA network ranges from above if you want to limit access to UoA networks only.
Nectar database service
Database servers launched through the Nectar database service (https://dashboard.rc.nectar.org.au/project/databases/) are accessible by default from everywhere on the internet, unless you configure your database to operate within a private network (an advanced nectar configuration).
Restrict access at launch time
When you launch a database image from the nectar dashboard (clicking "LAUNCH INSTANCE" from https://dashboard.rc.nectar.org.au/project/databases/), 
you are taken through four installation steps:
| Step 1 Launch Instance | Step 2 Networking | Step 3 DB Access | Step 4 Initialize DBs |
 |  |  |  |
| Steps 2-4 of this process provide you with options to restrict access to your database, but not by default |
In step 3, use the UoA network ranges from above if you want to limit access to UoA networks only.
Restrict access after setting up your database(s)
Select the action UPDATE INSTANCE from dropdown on the right:
The default value in the "Allowed CIDRs" field, 0.0.0.0/0, is CIDR code for "everywhere on the internet", i.e. everyone on the internet can try to access your database.
| From | To |
 |  |
Edit the "Allowed CIDRs" field to include a comma-separated list of network ranges which may include the UoA network ranges above, or other networks.
We recommend you assign the value
130.216.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
to enable access from within the UoA network and the VPN.
