Restrict site access with an IP Allow List
Access to individual environments of an application can be limited by specifying a list of IP addresses—or ranges of IP addresses (aka subnets)—in the VIP Dashboard’s IP Allow List. These settings are useful for sites with highly sensitive content, intranets, and non-production environments. Once an IP Allow List has been applied to an environment, any and all requests from an IP address outside of the allowed list or range will be denied.
Note
The IP Allow List and Basic Authentication access restriction methods cannot both be active at the same time. If both are activated, Basic Authentication will take precedence.
Types of requests restricted by an IP Allow List
Once enabled, the IP Allow List will reject any requests from IP addresses outside of the allowed range with a 403 Forbidden error response from our CDN. This includes requests of the following types:
- requests from logged in and anonymous users
- for static files, media files, and dynamically generated content
- for a WordPress or a Node.js application
- both cached and uncached requests
IP Allow List settings will also block content from Jetpack’s content distribution tools. To modify this behavior, review available options to Control Content Distribution via Jetpack.
The only exception to the list of restricted requests above, is requests from services within Automattic’s networks. These requests require access to support the operation of your application.
Prerequisites
- To view an environment’s IP Allow List, a user must have at minimum an Org member role.
- To edit an environment’s IP Allow List, a user must have at minimum an Org admin role or an App admin role for that application.
- Any IP restrictions at the application level must allow requests from the Automattic network and site access for VIP Support in order for a site to be able to be fully supported.
- A custom domain must have either a Let’s Encrypt or a custom TLS certificate installed in order for an IP Allow List to restrict access.
Editing an IP Allow List
The IP Allow List settings panel is located in the application view of the VIP Dashboard. IP Allow Lists are controlled separately for each environment of an application. Both individual IPs and ranges of IP addresses (aka subnets or CIDR range) can be added, and both IPv4 and IPv6 addresses are accepted.
Changes made to an IP Allow List will take up to 10 minutes to apply to the environment.
- Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
- Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
- Select “IP Allow List“ from the “Access” group on the “Settings” panel.
- The IP Allow List panel will display any existing settings.
- Add or edit settings by selecting the “Edit IP Allow List” button.
- In the “Edit Address List” field, add or remove one IP address or subnet per line.
- Select “Update” to save the edited settings.
Removing an IP Allow List
An environment can have multiple IP Allow List settings. Removal of all IP Allow List settings will enable the environment to be accessible from anywhere on the internet.
- Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
- Select an environment from the environment dropdown located at the upper left of the VIP Dashboard to which the settings will apply.
- Select “IP Allow List“ from the “Access” group on the “Settings” panel.
- Select the “Remove” button located to the right of the existing setting.
- Select “Confirm“.