IP allowlisting restricts access to your SecureAI instance so that only connections from approved IP addresses or ranges can reach the platform. This is a common requirement for enterprise security policies and compliance frameworks.
Prerequisites
Before you begin, ensure you have:
- Admin access to your SecureAI instance.
- A list of approved IP addresses or CIDR ranges for your organization (e.g., office networks, VPN exit points, cloud infrastructure).
- Knowledge of whether your users connect through a NAT gateway, proxy, or VPN (this affects which IPs to allowlist).
How IP Allowlisting Works
When IP allowlisting is enabled, SecureAI checks the source IP of every incoming request against your allowlist. Requests from IPs not on the list receive a 403 Forbidden response and cannot access the application.
| Scenario | Behavior |
|---|---|
| Request from allowlisted IP | Access granted normally |
| Request from non-allowlisted IP | Blocked with 403 Forbidden |
| Allowlist is empty (feature enabled) | All access blocked -- see Lockout Recovery |
| Feature disabled | All IPs can access the instance |
Important: IP allowlisting applies to all users, including administrators. If you misconfigure the allowlist, you can lock yourself out. Always include your current IP before saving.
Step 1: Identify Your IP Addresses
Before configuring the allowlist, gather the IP addresses your organization uses:
- Office networks: Check your corporate firewall or router for your public IP. Visit a service like
https://checkip.amazonaws.comfrom your office network. - VPN exit points: Get the egress IP ranges from your VPN provider or IT team.
- Remote workers: If remote employees connect without a VPN, you may need to allowlist their ISP-assigned IPs or require VPN usage.
- Cloud services: If automated systems (CI/CD, monitoring) access SecureAI via API, include their outbound IPs.
Tip: Use CIDR notation for ranges (e.g.,
203.0.113.0/24covers203.0.113.0through203.0.113.255). This is more maintainable than listing individual IPs.
Step 2: Enable IP Allowlisting
- Log in to SecureAI as an administrator.
- Navigate to Admin Panel > Settings > Security.
- Locate the IP Allowlisting section.
- Toggle Enable IP Allowlisting to on.
Step 3: Add IP Addresses or Ranges
- In the IP Allowlisting section, click Add Entry.
- Enter an IP address or CIDR range:
| Format | Example | What It Covers |
|---|---|---|
| Single IPv4 | 203.0.113.10 |
One address |
| CIDR range | 203.0.113.0/24 |
256 addresses (203.0.113.0--203.0.113.255) |
| Single IPv6 | 2001:db8::1 |
One address |
| IPv6 CIDR | 2001:db8::/32 |
Full IPv6 prefix |
- Add a description for each entry (e.g., "HQ office," "AWS us-east-1 NAT gateway"). This helps when auditing or updating the list later.
- Repeat for all required IPs and ranges.
- Verify your current IP is included -- the admin panel displays your current IP at the top of the allowlist section.
- Click Save.
Warning: Double-check that your current IP address is in the allowlist before saving. If it is not, you will be locked out immediately.
Step 4: Test the Configuration
- From an allowlisted IP, confirm you can access SecureAI normally.
- From a non-allowlisted IP (e.g., a mobile phone on cellular data), confirm that access is blocked with a 403 error.
- Test API access if your organization uses the SecureAI API -- API requests are also subject to the allowlist.
Managing the Allowlist
Adding New IPs
When your organization adds a new office, VPN endpoint, or cloud service:
- Go to Admin Panel > Settings > Security > IP Allowlisting.
- Click Add Entry, enter the IP or CIDR range with a description.
- Click Save.
Removing IPs
When an office closes or a VPN endpoint is decommissioned:
- Go to Admin Panel > Settings > Security > IP Allowlisting.
- Find the entry and click Remove.
- Click Save.
Auditing the Allowlist
Review your allowlist quarterly or whenever your network topology changes. Remove entries for decommissioned infrastructure and verify descriptions are accurate.
Lockout Recovery
If you accidentally lock yourself out by misconfiguring the allowlist:
- Contact your SecureAI account team -- they can modify the allowlist from the infrastructure level.
- Use a known allowlisted network -- connect from an IP that is on the list (e.g., your office VPN) and correct the configuration.
- Cloud Run console (self-hosted deployments) -- if you manage your own deployment, update the environment variable or configuration file that defines the allowlist, then redeploy.
Best Practice: Before making changes to the allowlist, note your current IP and confirm it will remain on the list after the change.
Common CIDR Ranges
| CIDR | Number of IPs | Typical Use |
|---|---|---|
/32 |
1 | Single server or device |
/28 |
16 | Small office |
/24 |
256 | Medium office or subnet |
/16 |
65,536 | Large corporate network |
Integration with Other Security Features
IP allowlisting works alongside other SecureAI security features:
- SSO (SAML/OIDC): Users must pass both IP allowlisting and SSO authentication. Even with valid SSO credentials, requests from non-allowlisted IPs are blocked.
- API keys: API requests are subject to the same IP restrictions. Ensure your API clients' egress IPs are allowlisted.
- Audit logging: Blocked access attempts from non-allowlisted IPs are logged in the audit log under Admin Panel > Monitoring > Audit Log.
Troubleshooting
Users report intermittent access issues
If users are sometimes blocked and sometimes not, they may be connecting through a load balancer or NAT with multiple egress IPs. Check with your IT team for the full range of possible egress IPs and add the entire CIDR range.
VPN users cannot connect
Verify that the VPN exit node IPs are on the allowlist. Some VPN providers rotate exit IPs -- in this case, allowlist the provider's published IP range.
API calls fail with 403 after enabling allowlisting
Ensure that the IPs of your API clients (servers, CI/CD pipelines, monitoring tools) are included in the allowlist. Check the audit log to see which IP was blocked.
IPv6 connections blocked
If your network uses IPv6, ensure you have added the relevant IPv6 addresses or ranges to the allowlist. SecureAI checks both IPv4 and IPv6 addresses.