Skip to content

Backgrounds

How-to Guides

Technical References

Restrict site access with an IP Allow List

Access to individual environments of an application can be limited by specifying a list of IP addresses—or ranges of IP addresses (aka subnets)—in the VIP Dashboard’s IP Allow List. These settings are useful for sites with highly sensitive content, intranets, and non-production environments. Once an IP Allow List has been applied to an environment, any and all requests from an IP address outside of the allowed list or range will be denied.

Types of requests restricted by an IP Allow List

Once enabled, the IP Allow List will reject any requests from IP addresses outside of the allowed range with a 403 Forbidden error response from our CDN. This includes requests of the following types:

  • requests from logged in and anonymous users
  • for static files, media files, and dynamically generated content
  • for a WordPress or a Node application
  • both cached and uncached requests

IP Allow List settings will also block content from Jetpack’s content distribution tools. To modify this behavior, review available options to Control Content Distribution via Jetpack.

The only exception to the list of restricted requests above, is requests from services within Automattic’s networks. These requests require access to support the operation of your application.

Prerequisites

  • All users with access to the VIP Dashboard have permissions to view an environment’s IP Allow List. Only users with an App admin role for the environment’s application have permissions to edit the IP Allow List.
  • Any IP restrictions at the application level must allow requests from the Automattic network and site access for VIP Support in order for a site to be able to be fully supported.

Editing an IP Allow List

The IP Allow List settings panel is located in the application view of the VIP Dashboard. IP Allow Lists are controlled separately for each environment of an application. Both individual IPs and ranges of IP addresses (aka subnets or CIDR range) can be added, and both IPv4 and IPv6 addresses are accepted.

Changes made to an IP Allow List will take up to five minutes to apply to the environment.

  1. Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
  2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
  3. Select “IP Allow List“ from the “Access” group on the “Settings” panel.
  4. The IP Allow List panel will display any existing settings.
  5. Add or edit settings by selecting the “Edit IP Allow List” button.
  6. In the “Edit Address List” field, add or remove one IP address or subnet per line.
  7. Select “Update” to save the edited settings.
Screenshot of the IP Allow List settings panel in the VIP Dashboard

Removing an IP Allow List

An environment can have multiple IP Allow List settings. Removal of all IP Allow List settings will enable the environment to be accessible from anywhere on the internet.

  1. Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
  2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
  3. Select “IP Allow List“ from the “Access” group on the “Settings” panel.
  4. Select the “Remove” button located to the right of the existing setting.
  5. Select “Confirm“.

Last updated: January 04, 2022