Connectivity
What are connectivity rules?
Connectivity rules are Temporal Cloud's mechanism for limiting network access to a namespace.
By default, a namespace has zero connectivity rules, and is accessible from 1. the public internet and 2. all private connections you've configured to the region containing the namespace.
When you add connectivity rules, Temporal Cloud will immediately block all traffic that does not have a corresponding connectivity rule from accessing the namespace. One namespace can have multiple connectivity rules, and may mix both public and private rules.
A connectivity rule specifies public (i.e. internet) or private (i.e. AWS PrivateLink or Google Cloud Private Service Connect) access to a namespace. See the linked docs to learn more about setting up those private connections in your cloud provider and configuring DNS for your workers.
Namespace access is always securely authenticated via API keys or mTLS, regardless of connectivity rules.
Only Account Admins and Account Owners can create and manage connectivity rules.
Creating a connectivity rule
Connectivity rules can be created and managed with tcld or Terraform.
A public connectivity rule takes no parameters.
An AWS PrivateLink (PL) connectivity rule requires the following parameters:
connection-id: The VPC endpoint ID of the PL connection (ex:vpce-00939a7ed9EXAMPLE)region: The region of the PL connection, prefixed with aws (ex:aws-us-east-1). Must be the same region as the namespace. Refer to the Temporal Cloud region list for supported regions.
A GCP Private Service Connect (PSC) connectivity rule requires the following parameters:
connection-id: The ID of the PSC connection (ex:1234567890123456789)region: The region of the PSC connection, prefixed with gcp (ex:gcp-us-east1). Must be the same region as the namespace. Refer to the Temporal Cloud region list for supported regions.gcp-project-id: The ID of the GCP project where you created the PSC connection (ex:my-example-project-123)
Temporal Cloud CLI (tcld)
Create public connectivity rule:
tcld connectivity-rule create --connectivity-type public
Create private connectivity rule (AWS):
tcld connectivity-rule create --connectivity-type private --connection-id "vpce-abcde" --region "aws-us-east-1"
Create private connectivity rule (GCP):
tcld connectivity-rule create --connectivity-type private --connection-id "1234567890" --region "gcp-us-central1" --gcp-project-id "my-project-123"
The cr alias works the same way:
tcld cr create --connectivity-type public
Private connectivity rule:
tcld cr create --connectivity-type private --connection-id "vpce-abcde" --region "aws-us-east-1"
Terraform
Update connectivity rules on a namespace
Be careful! When any connectivity rules are set on a namespace, that namespace is ONLY accessible via the connections defined in those rules. If you remove a connectivity rule that your workers are using, your traffic will be interrupted.
Temporal Cloud CLI (tcld)
Setting the connectivity rules on a namespace:
tcld namespace set-connectivity-rules --namespace "my-namespace" --connectivity-rule-ids "rule-id-1" --connectivity-rule-ids "rule-id-2"
Or using aliases:
tcld n scrs -n "my-namespace" --ids "rule-id-1" --ids "rule-id-2"
Remove all connectivity rules (this will make the namespace public):
tcld namespace set-connectivity-rules --namespace "my-namespace" --remove-all