IP Whitelisting for Secure Model Endpoints

Question

Pulumi · Accepted Answer

In order to set up IP whitelisting for secure model endpoints, you typically need to create a network security policy that allows access from specific IP addresses while denying others. This policy can be applied to endpoints such as APIs, web applications, or data services that you want to protect.

In this guide, we'll write a Pulumi program in Python that demonstrates how to create such a security policy on Google Cloud Platform (GCP) using the `SecurityPolicy` resource. This resource allows us to define fine-grained security rules, including IP whitelisting.

### Google Cloud Platform Security Policy

In GCP, a `SecurityPolicy` resource represents a cloud security policy for the GCP Cloud Armor security service, which can enforce various security rules, such as rate controls, IP blocklists, and allowlists.

A `SecurityPolicy` rule allows you to define the action that occurs when a request matches the criteria you've set. In the case of IP whitelisting, we'll create a rule that checks if an incoming request's IP address is in our allowlist. If it matches, the request will be allowed; if not, the request will be denied.

Here is a Pulumi program that creates a `SecurityPolicy` in GCP, with one rule that allows traffic from a specific IP range.

Before running the code, make sure you have:

1. Installed Pulumi and set up the GCP provider. Check out [Pulumi's installation guide](https://www.pulumi.com/docs/get-started/install/) for instructions.
2. Configured your GCP credentials for use with Pulumi. You usually accomplish this by having the Google Cloud SDK installed and authenticated on the machine where you run Pulumi.

```python
import pulumi
import pulumi_gcp as gcp

# Create a new security policy
security_policy = gcp.compute.SecurityPolicy("whitelist-security-policy",
    description="A security policy to demonstrate IP whitelisting",
)

# Define an IP whitelist rule
ip_whitelist_rule = gcp.compute.SecurityPolicyRule("ip-whitelist-rule",
    security_policy=security_policy.id,
    action="allow",  # Actions can be "allow" or "deny"
    priority=1000,
    match=gcp.compute.SecurityPolicyRuleMatchArgs(
        versioned_expr="SRC_IPS_V1",
        config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
            src_ip_ranges=["192.168.1.0/24"],  # Replace with your IP range to whitelist
        )
    ),
    description="Allow traffic from the 192.168.1.0/24 IP range",
)

# Export the URL of the security policy
pulumi.export("security_policy_url", security_policy.self_link)
```

In the program above, we:

1. Import the required modules.
2. Create a `SecurityPolicy` resource with a human-readable description.
3. Define a `SecurityPolicyRule` resource attached to our policy: 
   - Set the `action` to "allow" for our whitelisted IP range.
   - Assign a priority to the rule (lower numbers have higher priority).
   - Specify the `match` criteria using `SecurityPolicyRuleMatchArgs` and `SecurityPolicyRuleMatchConfigArgs`, where `src_ip_ranges` contains the IPs we want to allow connection from.
   - Descriptive text can also be added with the `description` field.
4. Finally, export the `self_link` URL of the security policy, which uniquely identifies it within GCP.

After running this Pulumi code, your GCP project will contain a security policy that whitelists the specified IP range. You can then associate this security policy with a backend service or a load balancer to protect your model endpoints with the described IP restrictions.