Tutorial: Control Who Can Access What
By default, every device on your Rabtly network can talk to every other device — they all start in one group called default, and devices in the same group always reach each other. That’s great for getting started, but for teams and sensitive environments you’ll want finer control.
Time: 10 minutes Difficulty: beginner
How Rabtly access control works
Rabtly’s access control is group-based and default-deny:
- You sort devices into groups (for example
laptops,servers,database). - You add allow rules between groups — “this group may reach that group”.
- Devices in the same group can always reach each other.
- Anything you don’t explicitly allow is blocked.
There are no “deny” rules and no wildcards — you describe what is allowed, and everything else is denied automatically. Each allow rule can optionally be restricted to specific ports and protocols (for example only TCP 22, or only TCP 5432).
Rules connect groups, never individual devices or IP addresses. To change what a device can reach, move it into a different group or add a rule between groups.
Step 1 — Create your groups
Open Access Control
In the dashboard sidebar, click Access Control, then open the Groups tab.
Create a group
Click New group, give it a lowercase name (e.g. servers, database, laptops), optionally a description and colour, then Create group.
Assign devices
On any group, click Manage devices, tick the devices that belong in it, and Save changes. Unticked devices fall back to the default group.
Step 2 — Allow traffic between groups
Open the Map tab. You’ll see each group as a node. There are three ways to add a rule:
| View | How you add a rule |
|---|---|
| Map | Drag from the edge of one group to another to let them talk |
| Matrix | Click the cell where a “from” row meets a “to” column to toggle it on |
| List | Click Add connection and pick the two groups |
A new connection defaults to two-way. Select it to open the inspector, where you can:
- Set the direction (
→,↔, or←) - Restrict it to specific ports (choose All ports or Specific, then add rows like
tcp/22,tcp/5432,udp/53) - Add a note describing the rule
Changes apply as soon as you save — no restart needed.
Step 3 — Test before you trust
Click Test reachability (top-right of the Access Control page). Pick a source group and a destination group and Rabtly shows the verdict against your current, unsaved policy:
- Two-way — both groups can initiate to each other
- One-way — traffic is allowed in a single direction
- Blocked — not allowed
- Same group — always reachable on all ports
This lets you verify a change before you commit it.
Example: a typical team setup
| Groups | Rule |
|---|---|
laptops → staging | allow TCP 22, 80, 443 |
app → database | allow TCP 5432 |
| (everything else) | blocked by default |
This means developers’ laptops can SSH and browse staging, the app group can reach the database on Postgres only, and nothing else is permitted — you never write the “deny everything” rule, because default-deny is the baseline.
Use the Export button to download your saved policy as JSON for backup or version control. (The dashboard is the editor — there’s no JSON import.)