Airflow's UI whitelist is managed in Cloud Armor. In order add or remove an IP from the Airflow UI whitelist you will need to edit the udp-airflow-access

security policy. To view the current whitelist run the following command:

View current Cloud Armor whitelist
gcloud compute security-policies rules describe 1000 \
	--security-policy "udp-airflow-access" \
	--project "${GCP_PROJECT_ID}"

You should see an output similar to the yaml below, the current whilelisted IPs will be listed under match.config.srcIpRanges:

action: allow
description: ''
kind: compute#securityPolicyRule
  versionedExpr: SRC_IPS_V1
preview: false
priority: 1000

To update the whitelist you can update it in the GCP console here, or run the following command:

You must include all current and new srcIpRanges in the update command. The value supplied to the --src-ip-ranges flag must be in CIDR notation and in a CSV list. See the official GCP documentation for more information.

Update Cloud Armor whitelist
gcloud compute security-policies rules update 1000 \
	--security-policy "udp-airflow-access" \
	--src-ip-ranges "${WHITELIST}" \
	--project "${GCP_PROJECT_ID}"

Once your changes are made it can take a few minutes for the changes to be reflected.

  • No labels