Tutorial: Control Who Can Access What
By default, every device on your Rabtly network can talk to every other device. This is great for getting started, but for teams and sensitive environments you’ll want finer control.
Time: 10 minutes Difficulty: beginner
What is Access Control?
Access control lets you write rules like:
- “Developers can SSH to servers, but not touch the database”
- “The app server can reach the database on port 5432”
- “Deny everything else”
These rules are checked for every connection attempt across your network.
Using the Visual Editor
Open Access Control
In the dashboard sidebar, click Access Control.
Switch to the Visual Editor tab
You’ll see a graph showing your nodes and the connections between them. Green lines mean traffic is allowed; red means denied.
Add a rule
Click Add Rule in the right panel. Fill in:
| Field | Example | Meaning |
|---|---|---|
| From | alice-macbook or * | Who is connecting |
| To | database or * | Where they’re connecting to |
| Ports | 22, 5432, or * | Which ports |
| Action | allow or deny | What to do |
Apply the rules
Click Save. The new rules take effect immediately — no restart needed.
Rules are checked top to bottom. Put your most specific rules first, and end with a catch-all deny *→* * if you want to block everything not explicitly allowed.
Example: Typical team setup
Here’s a simple ruleset for a team:
| From | To | Ports | Action |
|---|---|---|---|
* (anyone) | staging | 22, 80, 443 | allow |
app-server | database | 5432 | allow |
* | * | * | deny |
This means:
- Anyone can SSH and browse the staging server
- Only the app server can reach the database
- Everything else is blocked
Using the JSON editor
If you prefer to write rules directly, click the JSON tab. The policy format looks like this:
{
"acls": [
{ "action": "accept", "src": ["*"], "dst": ["staging:22,80,443"] },
{ "action": "accept", "src": ["app-server"], "dst": ["database:5432"] },
{ "action": "deny", "src": ["*"], "dst": ["*:*"] }
]
}Click Save when done.
Testing your rules
Use the Traffic Tester (in the visual editor’s right panel) to check if a specific connection would be allowed or denied before saving:
- Enter a source node
- Enter a destination node and port
- Click Test — you’ll see “Allowed” or “Denied”
This lets you verify your rules without affecting live traffic.