Using the IP Allow List you can limit access to each application environment to a specified list of IP addresses or ranges of IP addresses (aka subnets). Once you have applied the IP Allow List to an environment, any and all requests from an IP address list outside of the allowed list or range will be denied.
The IP Allow List applies to all requests:
- Requests from logged in and anonymous users
- Requests for files
- Requests for a WordPress or Node application
- Cached and uncached requests
The only exception is services within Automattic’s networks, as these will need access to support the operation of your application.
You control the IP Allow List separately for each environment of your application, e.g. the production environment has a separately controlled IP Allow List to the develop environment.
Viewing and controlling your IP Allow List
The IP Allow List for an environment is controlled from your VIP Dashboard. Anyone with access to the VIP Dashboard for your application can view the IP Allow List. Only users with
admin roles on the GitHub repository for your application are authorised to add and remove IP addresses and ranges for your application environments. The UI for the IP Allow List is shown below:
To view the IP Allow List:
- Visit the VIP Dashboard
- Select the application from the list of applications that you have access to
- From the left hand menu for that application, choose “Settings”
- At the top of the “Settings” screen choose the environment you want to configure, e.g. “Production”, “Develop”, etc
- From the “IP Allow List” section, choose “Configure”
If your IP Allow List is configured, you will be able to see the details here.
If your IP Allow List isn’t configured, you will see a notice saying “Your site is public”.
To add an IP or subnet (aka CIDR range, aka IP range) select the round “+” button top right and follow the directions. Adding the first IP address will immediately deny access from all other IP addresses.
To remove an IP or subnet, select the “trash” (delete) icon to the right of the IP or subnet. Removing the last IP or subnet will make the environment accessible from anywhere on the internet.
- Changes will take up to five minutes to take effect
- A 403 Forbidden error is what you’ll get when trying to visit your app from an IP not on the IP Allow List
- Amending the IP Allow List logs an event in our internal audit log