Domain and IP Allowlisting [External Access]
Roles for External Access in the Workspace
Accountable and Privileged: Read + Write
Advanced: Read only
Rest All: No access
Platform Support Team (PST members): Read + Write
These steps will be performed only by the Accountable and Privileged Member of the Workspace
In the link below, you find an overview of all the capabilities per role. The roles are ordered from left to right: from least privileged to most privileged.
Enabling external access in your workspace has implications:
Reduced auditability: data can be ingressed and egressed from a VM to external location, bypassing the standard audited myDRE workflows.
Reduced security: it is possible that (accidentally) installed services by a workspace member pose a risk.
1. Log in the portal
2. Workspace
Search for the workspace you want to allowlist domains.
3. Domain-Allowlisting
Go to External Access > Domain-Allowlisting > +Add Website(s).
4. Add Websites (domain)
Click on +Add Website(s)
Here you can find a list of Domains to be whitelisted/allowlisted for known applications.
Please add the domains like in the screenshot. If the domain is not correct you will get an error: Please enter a valid website(s)
5. Bulk Edit
This feature enables you to simultaneously add or remove multiple domains.
Mandatory websites, as listed on the main screen are not open to user updates.
Please enter the websites to be allowlisted below. Click here for instructions and the list of known applications including required configuration for specific software.
6. Disable Web Access
This will permanently delete all the previous websites from the workspace and cannot be undone.
To disable web access, you must enter the workspace name for confirmation.
7. IP - Allowlisting
This feature enables you to open up ports to static IP addresses. If you want to make use of dynamic addresses, please use domain allowlisting option. Opening up ports is enabled on the workspace level, and not possible on the VM level.
Please consult your local Support team member if you are not sure which of the two approaches is more suitable for your application of your way of working within the myDRE workspace.
Fill in the spaces and Add rule.
By default newly created rule is not enabled and needs to be turned on.
Enable the rule by toggling the Enabled button next to the rule.
Review the Warning, accept the terms by ticking the box and press Turn on.
You can turn off the rule by simply by turning off the Enabled button next to the rule.
Please be aware that opening ports may have potential security and auditability implications and therefroe it is important to maintain visibility of all potentially accessed rules at all times. As such, any requests to have a rule completely removed or to close a port is currently not a self-service and should be submitted via a ticket on support.mydre.org. Please include details such as the specific rule and the workspace ID it pertains to.
Please note that when you allow the first domain, it also shows a couple of other domains (which are mandatory). Users can't reach those websites, however they are needed for certain actions. For transparency, we do show those domains and we will add this (including risks if any) to the support article so that it doesn't scare the users.
- file.core.windows.net and blob.core.windows.net are there to allow connections to storage accounts, in particular file and blob storage. This is needed for mounting the Z drive to VMs and other storage needs VMs may have.
- management.azure.com and management.core.windows.net are related to some Azure AD functionality and are needed for looking up AD groups within the VM.
Related Articles
External access in your workspace
Introduction By default myDRE workspaces do not have connection to the internet. This ensures that data within the workspace is secure and auditable - we know what comes in, and what goes out. However, sometimes you do need a connection to a web ...R and RStudio using External Access rules
This method of downloading R packages is outdated! This article will not be updated any longer. IP addresses are often subject to change. Therefore, the domain allowlisting feature has been introduced and it is self-service for Accountable and ...Domain Allowlisting Self-Service Launch on November 27th, 2023
Hello, myDRE Platform Users! We're excited to share some great news! Starting November 27th, 2023, at 17:00 UTC+1, we're introducing a new feature: Domain Allowlisting Self-Service. It is a security measure tool that lets you easily add and manage ...Domain Allowlisting Self-Service Launch on November 27th, 2023
Hello, myDRE Platform Users! We're excited to share some great news! Starting November 27th, 2023, at 17:00 UTC+1, we're introducing a new feature: Domain Allowlisting Self-Service. It is a security measure tool that lets you easily add and manage ...R/RStudio installation using domain allowlisting on Windows VMs
First version: 2022-08-22 Last version: 2023-12-15 Last change: Added an alternative for installing packages from Github (installation from manually downloaded repository). This is a community effort. The article was created by the anDREa Support ...