IP Restrictions

Access to individual environments of an application can be restricted by specifying a list of IP addresses—or ranges of IP addresses (aka subnets)—to allow or deny access in the VIP Dashboard’s IP Restrictions panel. These settings are useful for sites with highly sensitive content, intranets, and non-production environments.

Limitations

• An active IP Restriction List will also block content from Jetpack’s content distribution tools. To modify this behavior, review available options to Control Content Distribution via Jetpack.
• Depending on the particular configuration of an IP Restriction List, external services and tools that connect to a particular application may be blocked. If this happens, an adjustment must be made to the active restriction list to accommodate for access needs.
• An IP Restriction List may have no more than 1000 entries. If you require additional entries, please open a ticket with our Support Team.

IP Restriction List Types

IP Restriction Lists come in two types, an IP Allow List and an IP Deny List. Once an IP Allow List has been applied to an environment, any and all requests from an IP address outside of the allowed list or range will be denied. Conversely, if an IP Deny List has been applied to an environment, any and all requests from an IP address within the denied list or range will be denied.

It is not possible to enable both an IP Allow List and an IP Deny List on the same environment at the same time.

Types of requests restricted by an IP Restriction List

Once enabled, an IP Restriction List will reject any requests from IP addresses outside of the allowed range with a 403 Forbidden error response from VIP’s CDN. This includes requests of the following types:

• requests from logged in and anonymous users
• for static files, media files, and dynamically generated content, including REST API endpoints
• for a WordPress or a Node.js application
• both cached and uncached requests

The only exception to the list of restricted requests above, is requests from services within Automattic’s networks. These requests require access to support the operation of a VIP application.

Add and edit an IP Restriction List

The IP Restrictions panel is located in the application view of the VIP Dashboard. IP address restrictions are controlled separately for each environment of an application. By default, all environments will have IP Deny List enabled with an empty list.

Changes made to an IP Restriction List will take up to 10 minutes to apply to the environment.

1. Navigate to the VIP Dashboard.
2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
3. Select “Access & Routing” from the sidebar navigation at the left of the screen.
4. Select “IP Restrictions” from the submenu.
5. The IP Restrictions panel will display any existing settings. If no restrictions are currently added, the IP Restrictions panel will have IP Deny List selected and the list below will be blank.
6. Select IP Deny List or IP Allow List to define the type of IP Restrictions you wish to enforce. If settings are already defined for the current type of restriction list, these settings will be cleared upon changing the restriction type. A confirmation box will appear allowing you to copy the existing restriction list settings.
7. To add entries to a restriction list, select the “+ Add” button. This will bring up a dialog that requests a list of IP Addresses or IP Address Ranges to add along with an optional note for additional context.
8. To edit your existing list, select “Edit full list” above the restriction list. This will bring up a dialog showing the full list of restrictions in the format of [IP Address/Range] #[Optional Note]. After making necessary edits to this list, select Save to accept these changes or Cancel to reject them.

Supported IP Address Formats

Individual IPs and ranges of IP addresses (aka subnets or CIDR range) can both be added to an IP Restriction List, and both IPv4 and IPv6 addresses are accepted in the following formats:

• IP v4 address (e.g. 1.2.3.4)
• IP v4 Subnet address (e.g. 1.2.0.0/24)
• IP V6 address (e.g.: 2001:0DB8:ABCD:0012:0000:0000:0000:0000 )
• IP V6 condensed notation (e.g. 2001:DB8:ABCD:12:: )
• IP V6 subnet address (e.g. `2001:db8:abcd:0012::0/64 )

Change or Remove IP Address Restriction Type

Change the restriction type in the IP Restrictions panel by selecting the restriction type that is not currently active. Making this change will clear out the current restriction settings for this environment. To prevent the loss of this information, a confirmation dialog will be displayed, allowing you to copy the existing restriction list settings. Once these settings are copied, selecting Confirm will remove the current access restrictions and allow the addition of new entries of the new restriction type.

Removing all IP Restriction settings can be accomplished in two different ways. Either a user can change the restriction type for an environment which will automatically clear out the current restriction settings or a user can use the “Edit full list” function to clear out the existing restriction settings, saving an empty list.

Edit or Remove Individual IP Restriction entries

It is possible to edit and remove individual IP restriction entries without editing the full list of restrictions.

1. Navigate to the VIP Dashboard.
2. Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
3. Select “Access & Routing” from the sidebar navigation at the left of the screen.
4. Select “IP Restrictions” from the submenu.
5. Select “Edit” located to the right of the existing entry to edit this entry or select the trashcan icon to delete this particular entry.
6. Select “Save“.

To completely disable the IP Allow List feature and allow the environment to be accessible from anywhere on the internet, all IP Allow List setting values must be removed.