1. IP Whitelisting for Secure Model Endpoints


    In order to set up IP whitelisting for secure model endpoints, you typically need to create a network security policy that allows access from specific IP addresses while denying others. This policy can be applied to endpoints such as APIs, web applications, or data services that you want to protect.

    In this guide, we'll write a Pulumi program in Python that demonstrates how to create such a security policy on Google Cloud Platform (GCP) using the SecurityPolicy resource. This resource allows us to define fine-grained security rules, including IP whitelisting.

    Google Cloud Platform Security Policy

    In GCP, a SecurityPolicy resource represents a cloud security policy for the GCP Cloud Armor security service, which can enforce various security rules, such as rate controls, IP blocklists, and allowlists.

    A SecurityPolicy rule allows you to define the action that occurs when a request matches the criteria you've set. In the case of IP whitelisting, we'll create a rule that checks if an incoming request's IP address is in our allowlist. If it matches, the request will be allowed; if not, the request will be denied.

    Here is a Pulumi program that creates a SecurityPolicy in GCP, with one rule that allows traffic from a specific IP range.

    Before running the code, make sure you have:

    1. Installed Pulumi and set up the GCP provider. Check out Pulumi's installation guide for instructions.
    2. Configured your GCP credentials for use with Pulumi. You usually accomplish this by having the Google Cloud SDK installed and authenticated on the machine where you run Pulumi.
    import pulumi import pulumi_gcp as gcp # Create a new security policy security_policy = gcp.compute.SecurityPolicy("whitelist-security-policy", description="A security policy to demonstrate IP whitelisting", ) # Define an IP whitelist rule ip_whitelist_rule = gcp.compute.SecurityPolicyRule("ip-whitelist-rule", security_policy=security_policy.id, action="allow", # Actions can be "allow" or "deny" priority=1000, match=gcp.compute.SecurityPolicyRuleMatchArgs( versioned_expr="SRC_IPS_V1", config=gcp.compute.SecurityPolicyRuleMatchConfigArgs( src_ip_ranges=[""], # Replace with your IP range to whitelist ) ), description="Allow traffic from the IP range", ) # Export the URL of the security policy pulumi.export("security_policy_url", security_policy.self_link)

    In the program above, we:

    1. Import the required modules.
    2. Create a SecurityPolicy resource with a human-readable description.
    3. Define a SecurityPolicyRule resource attached to our policy:
      • Set the action to "allow" for our whitelisted IP range.
      • Assign a priority to the rule (lower numbers have higher priority).
      • Specify the match criteria using SecurityPolicyRuleMatchArgs and SecurityPolicyRuleMatchConfigArgs, where src_ip_ranges contains the IPs we want to allow connection from.
      • Descriptive text can also be added with the description field.
    4. Finally, export the self_link URL of the security policy, which uniquely identifies it within GCP.

    After running this Pulumi code, your GCP project will contain a security policy that whitelists the specified IP range. You can then associate this security policy with a backend service or a load balancer to protect your model endpoints with the described IP restrictions.