Airflow's UI whitelist is managed in Cloud Armor. In order add or remove an IP from the Airflow UI whitelist you will need to edit the udp-airflow-access

security policy. To view the current whitelist run the following command:

View current Cloud Armor whitelist
gcloud compute security-policies rules describe 1000 \
	--security-policy "udp-airflow-access" \
	--project "${GCP_PROJECT_ID}"

You should see an output similar to the yaml below, the current whilelisted IPs will be listed under match.config.srcIpRanges:

---
action: allow
description: ''
kind: compute#securityPolicyRule
match:
  config:
    srcIpRanges:
    - 8.8.8.8/32
    - 8.8.4.4/32
  versionedExpr: SRC_IPS_V1
preview: false
priority: 1000


To update the whitelist you can update it in the GCP console here, or run the following command:

You must include all current and new srcIpRanges in the update command. The value supplied to the --src-ip-ranges flag must be in CIDR notation and in a CSV list. See the official GCP documentation for more information.


Update Cloud Armor whitelist
gcloud compute security-policies rules update 1000 \
	--security-policy "udp-airflow-access" \
	--src-ip-ranges "${WHITELIST}" \
	--project "${GCP_PROJECT_ID}"

Once your changes are made it can take a few minutes for the changes to be reflected.

  • No labels