Restricting access via an IP Allow List

VIP Go platform specific

This document is for sites running on VIP Go.

Learn more

Overview #

Using the IP Allow List you can limit access to each application environment to a specified list of IP addresses or ranges of IP addresses (aka subnets). Once you have applied the IP Allow List to an environment, any and all requests from an IP address list outside of the allowed list or range will be denied.

The IP Allow List applies to all requests:

  • Requests from logged in and anonymous users
  • Requests for files
  • Requests for a WordPress or Node application
  • Cached and uncached requests

The only exception is services within Automattic’s networks, as these will need access to support the operation of your application.

You control the IP Allow List separately for each environment of your application, e.g. the production environment has a separately controlled IP Allow List to the develop environment.

↑ Top ↑

Viewing and controlling your IP Allow List #

The IP Allow List for an environment is controlled from your VIP Dashboard. Anyone with access to the VIP Dashboard for your application can view the IP Allow List. Only users with write or admin roles on the GitHub repository for your application are authorised to add and remove IP addresses and ranges for your application environments. The UI for the IP Allow List is shown below:

To view the IP Allow List:

  1. Visit the VIP Dashboard
  2. Select the application from the list of applications that you have access to
  3. From the left hand menu for that application, choose “Settings”
  4. At the top of the “Settings” screen choose the environment you want to configure, e.g. “Production”, “Develop”, etc
  5. From the “IP Allow List” section, choose “Configure”

If your IP Allow List is configured, you will be able to see the details here.

If your IP Allow List isn’t configured, you will see a notice saying “Your site is public”.

To add an IP or subnet (aka CIDR range, aka IP range) select the round “+” button top right and follow the directions. Adding the first IP address will immediately deny access from all other IP addresses.

To remove an IP or subnet, select the “trash” (delete) icon to the right of the IP or subnet. Removing the last IP or subnet will make the environment accessible from anywhere on the internet.

↑ Top ↑

Notes #

  • Changes will take up to five minutes to take effect
  • A 403 Forbidden error is what you’ll get when trying to visit your app from an IP not on the IP Allow List
  • Amending the IP Allow List logs an event in our internal audit log

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.