Connectivity
What are connectivity rules?
Connectivity rules are Temporal Cloud's mechanism for limiting network access to a namespace. When you add connectivity rules, Temporal Cloud will block traffic that does not have a corresponding connectivity rule from accessing the namespace. By default, a namespace has zero connectivity rules, and is accessible from the public internet.
A connectivity rule specifies public (i.e. internet) or private (i.e. AWS PrivateLink or Google Cloud Private Service Connect) access to a namespace. One namespace can have multiple connectivity rules, and may mix both public and private rules.
Namespace access is always securely authenticated via API keys or mTLS, regardless of connectivity rules.
Connectivity rules can be managed with tcld or Terraform.
Creating a connectivity rule
Temporal Cloud CLI (tcld)
Create public connectivity rule:
tcld connectivity-rule create --connectivity-type public
Create private connectivity rule (AWS):
tcld connectivity-rule create --connectivity-type private --connection-id "conn-123" --region "us-east-1" --cloud-provider aws
Create private connectivity rule (GCP):
tcld connectivity-rule create --connectivity-type private --connection-id "conn-456" --region "us-central1" --cloud-provider gcp --gcp-project-id "my-project-123"
The cr alias works the same way:
tcld cr create --connectivity-type public
Private connectivity rule:
tcld cr create --connectivity-type private --connection-id "conn-123" --region "us-east-1" --cloud-provider aws
Terraform
Update connectivity rules on a namespace
Temporal Cloud CLI (tcld)
Setting the connectivity rules on a namespace:
tcld namespace set-connectivity-rules --namespace "my-namespace" --connectivity-rule-ids "rule-id-1" --connectivity-rule-ids "rule-id-2"
Or using aliases:
tcld n scrs -n "my-namespace" --ids "rule-id-1" --ids "rule-id-2"
Remove all connectivity rules:
tcld namespace set-connectivity-rules --namespace "my-namespace" --remove-all