Responsibility for cybersecurity on the Nectar infrastructure at the University of Auckland is a partnership between you and the University. To reduce cybersecurity risk, and to protect the University and you from data breaches and reputational harm, we encourage you to only expose services - including database servers - to the entire internet that need to be available on the internet.


Please open access to your database server to the entire internet only if you really need to. In many cases it should be sufficient to only open access to University of Auckland networks, or perhaps even your individual computer.


The rest of this page describes how to limit access to your database servers.


The mechanism to limit access to your database servers depends on the way you launched them: 


The following network ranges should be used to limit access to University of Auckland networks:


UoA network rangesTarget connection
130.216.0.0/16  UoA wired networks
10.0.0.0/8UoA VPN networks (and other private UoA networks)
172.16.0.0/12UoA staff and student wireless networks (and other private UoA networks)
192.168.0.0/16Other private UoA networks

Manually installed database servers

If you install a database server manually, access will  be configured through security groups. Use the UoA network ranges from above if you want to limit access to UoA networks only.


Nectar database service

Database servers launched through the Nectar database service (https://dashboard.rc.nectar.org.au/project/databases/) are accessible by default from everywhere on the internet, unless you configure your database to operate within a private network (an advanced nectar configuration).


Restrict access at launch time

When you launch a database image from the nectar dashboard (clicking "LAUNCH INSTANCE" from https://dashboard.rc.nectar.org.au/project/databases/),  

you are taken through four installation steps:

Step 1  Launch InstanceStep 2 NetworkingStep 3 DB AccessStep 4 Initialize DBs
step 1step 2step 4


Steps 2-4 of this process provide you with options to restrict access to your database, but not by default


In step 3, use the UoA network ranges from above if you want to limit access to UoA networks only.


Restrict access after setting up your database(s)

Select the action UPDATE INSTANCE from dropdown on the right:


The default value in the "Allowed CIDRs" field, 0.0.0.0/0,  is  CIDR code for "everywhere on the internet", i.e. everyone on the internet can try to access your database.


FromTo


Edit the "Allowed CIDRs" field to include a comma-separated list of network ranges which may include the UoA network ranges above, or other networks.