Skip to content

IP Allow List

Access to individual environments of an application can be restricted by specifying a list of IP addresses—or ranges of IP addresses (aka subnets)—in the VIP Dashboard’s IP Allow List. These settings are useful for sites with highly sensitive content, intranets, and non-production environments. Once an IP Allow List has been applied to an environment, any and all requests from an IP address outside of the allowed list or range will be denied.

Prerequisites

  • To view an environment’s IP Allow List, a user must have at minimum an Org member role.
  • To edit an environment’s IP Allow List, a user must have at minimum an Org admin role or an App admin role for that application.
  • Any IP restrictions at the application level must allow requests from the Automattic network and site access for VIP Support in order for a site to be able to be fully supported.
  • A custom domain must have either a Let’s Encrypt or a custom TLS certificate installed in order for an IP Allow List to restrict access.

Limitations

  • The IP Allow List and Basic Authentication access restriction methods cannot both be active at the same time. If both are activated, Basic Authentication will override the IP Allow List as the active method for access restriction.
  • An active IP Allow List will also block content from Jetpack’s content distribution tools. To modify this behavior, review available options to Control Content Distribution via Jetpack.

Types of requests restricted by an IP Allow List

Once enabled, the IP Allow List will reject any requests from IP addresses outside of the allowed range with a 403 Forbidden error response from VIP’s CDN. This includes requests of the following types:

  • requests from logged in and anonymous users
  • for static files, media files, and dynamically generated content, including REST API endpoints
  • for a WordPress or a Node.js application
  • both cached and uncached requests

The only exception to the list of restricted requests above, is requests from services within Automattic’s networks. These requests require access to support the operation of a VIP application.

Add and edit an IP Allow List

The IP Allow List settings panel is located in the application view of the VIP Dashboard. IP Allow Lists are controlled separately for each environment of an application. Individual IPs and ranges of IP addresses (aka subnets or CIDR range) can both be added, and both IPv4 and IPv6 addresses are accepted.

Changes made to an IP Allow List will take up to 10 minutes to apply to the environment.

  1. Navigate to the VIP Dashboard.
  2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
  3. Select “Access & Routing” from the sidebar navigation at the left of the screen.
  4. Select IP Allow List from the submenu.
  5. The IP Allow List panel will display any existing settings.
  6. Add or edit settings by selecting the “Edit IP Allow List” button.
  7. In the “Edit Address List” field, add or remove one IP address or subnet per line.
  8. Select “Update” to save the edited settings.
Screenshot of the IP Allow List settings panel in the VIP Dashboard

Remove IP Allow List settings

An environment can have multiple IP Allow List setting values. Value settings can be removed individually.

  1. Navigate to the VIP Dashboard.
  2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
  3. Select “Access & Routing” from the sidebar navigation at the left of the screen.
  4. Select IP Allow List from the submenu.
  5. Select the “Remove” button located to the right of the existing setting.
  6. Select “Confirm“.

To completely disable the IP Allow List feature and allow the environment to be accessible from anywhere on the internet, all IP Allow List setting values must be removed.

Last updated: August 01, 2024

Relevant to

  • Node.js
  • WordPress