> ## Documentation Index
> Fetch the complete documentation index at: https://firebolt-aggregate-helm-docs-pr-4.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about creating and managing network policies for Firebolt.

# Network policies

By default, Firebolt accepts traffic from any IP address. As an additional layer of security, you can configure individual Firebolt logins or service accounts so their traffic must originate only from the IP addresses that you specify. For each configuration (network policy), you specify a list of IP addresses from which traffic is allowed (the allow list) and a list of IP addresses from which traffic is denied (the blocked list). A network policy is a collection of allowed and blocked lists of IP addresses.

Network policies can be configured on the organization level and also per login or service account. When evaluating a network policy, Firebolt validates the login/service account IP addresses first by the policy set at organization level. If there is no network policy on the organization level (or the organization-level network policy does not allow access), then the network policy is validated at the login/service account level. If a network policy does not allow access, the user will receive a `401 Unauthorized` response.

The IP allow and blocked lists used to specify a network policy are specified as comma-separated IPv4 addresses and/or IPv4 address ranges in CIDR format. You can apply the same list to one or many users, and each user can have unique lists. You can specify lists manually or import lists of addresses and ranges from a CSV file saved locally. You can add, edit or delete network policies using SQL or in the UI.

To view all network policies, click **Configure** to open the configure space, then choose **Network policies** from the menu, or query the [information\_schema.network\_policies](/reference-sql/information-schema/network_policies) view.

<Note>
  Managing network policies requires the org\_admin role.
</Note>

## Create a network policy

### SQL

To create a network policy using SQL, use the [CREATE NETWORK POLICY](/reference-sql/commands/access-control/create-network-policy) statement. For example:

```sql theme={null}
CREATE NETWORK POLICY my_network_policy WITH ALLOWED_IP_LIST = (‘4.5.6.1’, ‘2.4.5.1’) DESCRIPTION = 'my new network policy'
```

### UI

To create a network policy via the UI:

<img src="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=ff1bfc106fbbf75844679c0d7189663e" alt="Configure > Network policies" data-og-width="1838" width="1838" data-og-height="464" height="464" data-path="assets/images/networkpoliciespage.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=280&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=56615ff82d6cf7c9200fb9e79d845330 280w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=560&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=19f214cd879dce0b81436a8a1584369b 560w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=840&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=76b9333663cd3df7f6d05dff002ae1db 840w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=1100&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=59f8a7d23f2fb2d0600114b75e046000 1100w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=1650&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=0e6b194f534e6884299415f35d6d45b6 1650w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespage.png?w=2500&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=b687a6a71bfda07aec58eab2a1ae0064 2500w" />

1. Click **Configure** to open the configure space, then choose **Network policies** from the menu.
2. From the Network policies management page, choose **Create a new network policy**.
3. Enter a network policy name. Optionally, enter a network policy description. To add to the allow list, enter comma-separated IPv4 addresses, or IPv4 address ranges in CIDR format under **Grant access from selected allowed IP addresses**, or choose **import file** to read IP addresses from a CSV file.
4. Enter addresses for the block list in the **Deny access from selected blocked IP addresses**.
5. Choose **Save**.

For each user, the Allowed IPs and Blocked IPs are updated to reflect the total number of IP addresses from each list that you specified for that user. Network policies created in UI are automatically attached to the organization to which the policy creator is logged in.

## Attach a network policy to an organization

### SQL

When a network policy is created in UI, it is automatically attached to an organization the creator is logged in to. However, to attach (or detach) a network policy, you can use the command [ALTER ORGANIZATION](/reference-sql/commands/data-definition/alter-organization). For example:

```sql theme={null}
ALTER ORGANIZATION my_organization SET NETWORK_POLICY = my_network_policy
```

or to detach:

```sql theme={null}
ALTER ORGANIZATION my_organization SET NETWORK_POLICY = DEFAULT
```

### UI

To attach/detach a network policy to an organization via the UI:

<img src="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=eccf61b0f84401645d774252405694ba" alt="Configure > Network policies" data-og-width="1842" width="1842" data-og-height="365" height="365" data-path="assets/images/networkpoliciespagetoggle.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=280&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=793e1febc610b2b4f9de93343e76e052 280w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=560&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=78521002f0808a33af748c1e5ad24645 560w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=840&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=d344da69170442fee1c44969b6675b45 840w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=1100&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=9cfed206c0fd61f1fb016a924ca0efa6 1100w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=1650&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=184002f504b8385c02484792a8e2f7bf 1650w, https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/28klgY4r_rwrJXOA/assets/images/networkpoliciespagetoggle.png?w=2500&fit=max&auto=format&n=28klgY4r_rwrJXOA&q=85&s=11e50b0be0dbe14ff5119e8dd6aaa3c2 2500w" />

1. Click **Configure** to open the configure space, then choose **Network policies** from the menu.
2. Search for the relevant network policy using the top search filters or by scrolling through the list.
3. Switch the **Is organizational** toggle to on or off.

## Edit a network policy

### SQL

To edit a network policy using SQL, use the [ALTER NETWORK POLICY](/reference-sql/commands/access-control/alter-network-policy) statement. For example:

```sql theme={null}
ALTER NETWORK POLICY my_network_policy SET ALLOWED_IP_LIST = (‘4.5.6.7’, ‘2.4.5.7’) BLOCKED_IP_LIST = (‘6.7.8.9’) DESCRIPTION = 'updated network policy'
```

### UI

To edit a network policy via the UI:

1. Click **Configure** to open the configure space, then choose **Network policies** from the menu.
2. Search for the relevant network policy using the top search filters or by scrolling through the list. Hover over the right-most column to make the network policy menu appear, then choose **Edit network policy**.
3. From here you can edit description, allowed and blocked IP addresses and choose **Save**.

<img src="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/XtVBRhHFZ-5lm4mx/assets/images/editnetworkpolicy.png?fit=max&auto=format&n=XtVBRhHFZ-5lm4mx&q=85&s=ba81fb07b9df44896de39bb39d81ffc6" alt="Edit network policy" style={{"width": "500px"}} width="722" height="763" data-path="assets/images/editnetworkpolicy.png" />

## Delete a network policy

### SQL

To delete a network policy using SQL, use the [DROP NETWORK POLICY](/reference-sql/commands/access-control/drop-network-policy) statement. For example:

```sql theme={null}
DROP NETWORK POLICY my_network_policy [ RESTRICT | CASCADE ]
```

### UI

To delete a network policy via the UI:

1. Click **Configure** to open the configure space, then choose **Network policies** from the menu.
2. Search for the relevant network policy using the top search filters or by scrolling through the list. Hover over the right-most column to make the network policy menu appear, then choose **Delete network policy**. You will need to confirm that you will also be removing links to the network policy by choosing **Remove the linkage to logins, service accounts, or to the entire organization**
3. Choose **Confirm**.

<img src="https://mintcdn.com/firebolt-aggregate-helm-docs-pr-4/XtVBRhHFZ-5lm4mx/assets/images/deletenetworkpolicy.png?fit=max&auto=format&n=XtVBRhHFZ-5lm4mx&q=85&s=67aa0d03d9f707ac2721dd6bf6eb6378" alt="Delete network policy" style={{"width": "500px"}} width="1092" height="444" data-path="assets/images/deletenetworkpolicy.png" />
