IP access control

IBM COS supports Allowed IP in Vault Mode to control bucket access only to the trusted IP addresses

A client can access a bucket in various ways, through a direct connection or a proxy connection. When a client connects to IBM COS Accesser® device directly, it is considered a direct connection, such that the client IP address is retrieved from the client transport connection information. There is a special case of the direct connection where the client connects the Accesser® device through a proxy server, such as a load balancer, while the proxy server is configured to preserve the client source IP address, the client IP address can then be retrieved from the client transport connection information. The customer can whitelist the client public IP addresses to be allowed to access the bucket when the connection is a direct connection. IBM COS will enforce IP access control based on the client IP address. When the client connects to the Accesser® device through a proxy server such that the client IP address cannot be retrieved from the client transport connection information, the connection is considered as a proxy connection. To use the IP access control capability for the proxy connection, the system application must set the client originating public IP address at the rightmost proxy IP address in the X-Forwarded-For HTTP header, and the system admin must choose the "proxy" connection in Manager Web Interface. Please refer to IBM COS Manager Web interface -> Administration -> Network Transport Layer Configuration to set proper connection type and public client originating IP address.