Access Control

Access control helps prevent unauthorized access to Kentik. The following topics cover management of access control in the Kentik portal:

The Access Control page enables you to choose the IPs from which it's possible to access various Kentik functions.

About Access Control

Access control enhances security by enabling you to specify IPs and subnets that are granted access to Kentik. Access is denied to all other IPs and subnets that attempt to connect. For greater flexibility, access settings may be set individually for each of the following Kentik subsystems:

  • App: Access via the Kentik portal.
  • Agent: Access via Kentik's NetFlow Proxy Agent.
  • API: Access via Kentik APIs (see APIs Overview).
  • Database: Access via PostgreSQL client (see Connecting to KDE).
    Note: psql access to KDE is now deprecated. For additional information, contact Kentik support.

The access control settings for all four subsystems are set on the Access Control Page.


About Exception Groups

Exception groups enable you to specify, for any of the subsystems listed on the Access Control Page (App, Agent, API, and Database), the set of IPs and subnets from which access to Kentik is allowed. These groups allow you to group certain subnets and IPs into functional, easily identifiable, and more usable groups. These groups are particularly useful when allowing access for your remote employees.

Note: When you create an exception group, only the IP address(es) or subnet(s) listed will be able to access that subsystem. Be sure to add an exception for your own role if you need one.


Access Control Page

To open the Access Control page, choose Settings from the main menu, then click Access Control under Access & Security. The page is covered in the following topics:

Note: Member-level Kentik users can open the page, but only Administrators can modify the settings.

top  |  section

Access Control UI

The Access Control page is home to the access control settings for the four Kentik subsystems listed in About Access Control.

Each subsystem is represented by a pane that contains the following UI elements:

  • Access setting: A set of radio buttons that enable you to choose one of the following access control options for the subsystem:
    - Allow All: No restriction; the subsystem can be accessed from any IP or subnet.
    - Deny All except: The subsystem can be accessed only from the IP addresses and subnets listed in the IP Addresses/Subnets field.
  • Exception Group: A set of fields and controls for one Exception Group. See Exception Group Card.
  • Add Exception Group (shown only if access setting is Deny All except): A button that allows you to create a new group of IP addresses and/or subnets with access to the Kentik subsystem (see Add an Exception Group).
  • Save button (shown only if access setting is Deny All except): Click to save changes to access control settings for this subsystem.

Exception Group Card

Each exception group is defined by the settings in a card (gray rectangle). The card for one exception group, named "Migrated" by default, appears when you choose the Deny All except radio button. An additional card, named "Exception" by default, will open each time you click the Add Exception Group button.

Each card contains the following fields and controls:

  • Exception Name: A field in which you can enter a name for your exception group, overwriting the default name.
  • IP Addresses/Subnets: A field that allows you to add a comma-separated list of IP addresses and/or subnets that are granted access rights to this Kentik subsystem. Access from all other IPs and subsystems will be denied.
    Note: Access Control is based on the public IP from which you attempt to connect to a given Kentik subsystem, even if your client is on an RFC1918 private LAN or behind NAT.
  • Remove button: A trash icon that, when clicked, allows you to remove the exception group (see Remove an Exception Group).
top  |  section

Access Control Defaults

The default access control setting varies depending on the Kentik subsystem:

  • App: Default is Allow All. Switch to Deny All except is recommended.
    Note: If you choose to switch to Deny All except, be sure to enter in the IP Addresses/Subnets field the IP address from which you are connected or else your access will be denied when you click Save. Users who try to log in from an IP/subnet that is not whitelisted will see an "Unable to authenticate" notification on the Kentik login page.
  • Agent: Default is Allow All. Switch to Deny All except is recommended.
  • API: Default depends on when the organization subscribed to Kentik:
    - Subscribed before April 19, 2017: Default is Allow All.
    - Subscribed on or after April 19, 2017: Default is Deny All except. Before the API can be used, access must be enabled by whitelisting the IPs/subnets from which the API will be accessed.
  • Database: Same as API.

To determine the IP address to whitelist when you connect to any of the above Kentik subsystems:

  • For App, go to
  • For Agent, API, or Database, run the following code on the server that hosts the agent or code that will be connecting to Kentik:

Managing Exception Groups

Exception groups are covered in the following topics:

top  |  section

Add an Exception Group

To add an exception group:

  1. Go to the Access Control page (Settings » Access Control).
  2. In the subsystem where you would like to create an exception group (App, Agent, API, or Database), click the Deny All Except radio button.
  3. In the resulting Exception Group Card, change the default exception group name to something more descriptive of the group’s function.
  4. Enter a comma-separated list of IP addresses and/or subnets that should be allowed to access this subsystem.
  5. Click Save.
top  |  section

Edit an Exception Group

To edit an existing exception group:

  1. Go to the Access Control page (Settings » Access Control).
  2. In an existing Exception Group Card:
    - Edit the name or the IP address fields.
    - Click the Remove (trash) icon, then click Remove in the confirmation dialog.
  3. Click Save.
top  |  section

Remove an Exception Group

To remove an exception group:

  1. Go to the Access Control page (Settings » Access Control).
  2. In the Exception Group Card of the group you'd like to remove, click the Remove button (red trash icon).
  3. Click Remove in the confirmation dialog.
© 2014- Kentik
In this article: