You can restrict which IP addresses or IP address ranges can access the Astro service for your specific Organization. By default, Astro allows users to access their Organization from unsecured networks. However, by creating an IP access list, if your organization uses a VPN or other mechanism that limits the IP addresses your users might have, you can restrict access to Astro based on the IP addresses that you define in the Astro UI.
After you enable the IP access list, users and user-privileged resources can only interact with Astro while using a network with a permitted IP address, whether by using the Astro UI or programmatically with Astro API or Airflow API requests.
You must make sure that you include critical services in your IP range. These include:
Because the IP Access List limits access to the Astro UI only to specific IP addresses, you can’t access the Astro UI if you’re not connected to a corresponding VPN or authorized network.
To restore access for a user that is blocked, an Organization Owner needs to either:
If you disable the IP Access List setting to resolve the user’s access issue temporarily, remember to enable the setting again to maintain the IP address restrictions.
Enhanced Support Access is enabled by default for all Organizations to ensure faster, more effective assistance from the Astronomer Support team. It grants Read-only Admin access to your Organization’s details. If you have IP Access List enabled, Enhanced Support Access permits Astronomer Support to bypass the IP restriction and allows Astronomer Support to view your Organization details. Support can’t make any changes to your Organization or resources.
See Enhanced Support Access for information about the permission scope and how to disable the feature.