Skip to main content
If a Managed Service for Kubernetes cluster has a public endpoint, one can access it from any IP address in the internet. You can limit this access and only allow certain IP addresses to reach the cluster. To do so, specify allowed CIDR blocks in the cluster configuration. When you enable a public endpoint for a Managed Kubernetes cluster, Nebius AI Cloud allocates a public IP address and provisions a load balancer to the cluster. This load balancer routes traffic to the control plane instances. With access restriction set for a public endpoint, the allowlist of IP addresses takes effect at the network interface level of those instances based on security groups. The access restriction doesn’t affect the private endpoint and internal traffic. The private endpoint remains open as before.

How to set an allowlist to access a Managed Kubernetes cluster

Set allowed CIDR blocks when you create or update a cluster. Pass over each CIDR block as a separate --control-plane-endpoints-public-endpoint-allowed-cidrs parameter. The CIDR blocks must follow the IPv4 format. Bits for hosts must be equal to zero. Examples of valid CIDR blocks:
  • 192.168.0.0/24 where the last eight bits are allocated to hosts and equal to zero.
  • 8.8.8.64/26 where the last six bits are allocated to hosts and equal to zero (64 in the decimal system is 01000000 in the binary system).
To set an allowlist of CIDR blocks, do one of the following:
  • Create a cluster with limited access to the public endpoint: 
    nebius mk8s cluster create \
   --control-plane-endpoints-public-endpoint=true \
   --control-plane-endpoints-public-endpoint-allowed-cidrs "203.0.113.0/24" \
   --control-plane-endpoints-public-endpoint-allowed-cidrs "198.51.100.128/25" \
   ...
  • Update a cluster and restrict access to the public endpoint: 
    nebius mk8s cluster update <cluster_ID> \
   --control-plane-endpoints-public-endpoint-allowed-cidrs "203.0.113.0/24" \
   --control-plane-endpoints-public-endpoint-allowed-cidrs "198.51.100.128/25"
    The update command overwrites a list of CIDR blocks. If you added any CIDR blocks earlier and you want to preserve them, specify these CIDR blocks in the update command.
For more information about other command parameters, see How to create and modify Managed Service for Kubernetes® clusters.