As an optional security measure, you can configure an application to allow only IP addresses you specify to access it in the Cloud Platform user interface.

By default, users who are members of a team assigned to an application can sign in to the Cloud Platform user interface and access the application from any IP address. Cloud Platform controls user access with a username and password, the roles and permissions assigned to users, and optionally, two-step verification.

For extra security, you can prohibit users from signing in to the Cloud Platform user interface unless they do so from one of the IP addresses you specify. This feature, IP address allowlisting, affects only access to the Cloud Platform user interface. IP address allowlisting doesn’t affect normal access to the websites you host on Cloud Platform.

IP address allowlisting

IP address allowlisting controls access to Cloud Platform resources after requests originate from non-allowlisted IP addresses. The allowlist applies to the following services:

• Cloud Platform user interface: You must allowlist your IP address to use the page, as it relies on platform APIs.

• API-based access: All direct calls to Cloud Platform endpoints, such as https://cloud.acquia.com/api

Traffic to your hosted websites is not restricted by this feature. Site visitors can access your applications regardless of their IP address.

Automated processes that call APIs from outside your corporate network or VPN are blocked unless you allowlist their egress IP addresses. These processes include:

• Continuous Integration/Continuous Deployment (CI/CD) runners and pipelines

• External monitoring and health-check services

• Custom automation scripts and batch jobs

Fixing broken integrations

To fix an integration that stops working after you enable allowlisting:

1. Identify the public egress IP address of the integration.

2. Add the IP address to the allowlist.

3. Use static IP addresses: If your integration runs from a cloud provider with dynamic IP addresses, use a stable egress strategy, such as a Network Address Translation (NAT) gateway or static egress, and allowlist that specific IP address.

Enabling IP address allowlisting

Only users who have the Owner or Administrator role for an application’s organization can enable or disable IP address allowlisting for an application. 
To enable IP address allowlisting:

1. Sign in to the Cloud Platform user interface with the Owner or Administrator role.
2. Select the application you want to work with.
3. In the menu on the left side, click Security.
4. On the Security page, click Edit Settings to open the Edit security settings page.
5. In the IP restrictions list, click Only allow allowlisted IPs.
6. Enter an IP address you want to allow to access your application through the Cloud Platform user interface. Click Add another to add more IP addresses. Cloud Platform does not support adding IP address ranges.
7. Click Save.

If you must allowlist Acquia’s IP addresses for your websites or services, create a Support ticket to obtain the necessary information.

Securing your application with IP address allowlisting

IP address allowlisting controls access to Cloud Platform resources after requests originate from non-allowlisted IP addresses. The allowlist applies to the following services:

• Cloud Platform user interface: You must allowlist your IP address to use the page, as it relies on platform APIs.

• API-based access: All direct calls to Cloud Platform endpoints, such as https://cloud.acquia.com/api

Traffic to your hosted websites is not restricted by this feature. Site visitors can access your applications regardless of their IP address.

Automated processes that call APIs from outside your corporate network or VPN are blocked unless you allowlist their egress IP addresses. These processes include:

• Continuous Integration/Continuous Deployment (CI/CD) runners and pipelines

• External monitoring and health-check services

• Custom automation scripts and batch jobs

Fixing broken integrations

To fix an integration that stops working after you enable allowlisting:

1. Identify the public egress IP address of the integration.

2. Add the IP address to the allowlist.

3. Use static IP addresses: If your integration runs from a cloud provider with dynamic IP addresses, use a stable egress strategy, such as a Network Address Translation (NAT) gateway or static egress, and allowlist that specific IP address.

Enabling IP address allowlisting

Only users who have the Owner or Administrator role for an application’s organization can enable or disable IP address allowlisting for an application. 
To enable IP address allowlisting:

1. Sign in to the Cloud Platform user interface with the Owner or Administrator role.
2. Select the application you want to work with.
3. In the menu on the left side, click Security.
4. On the Security page, click Edit Settings to open the Edit security settings page.
5. In the IP restrictions list, click Only allow allowlisted IPs.
6. Enter an IP address you want to allow to access your application through the Cloud Platform user interface. Click Add another to add more IP addresses. Cloud Platform does not support adding IP address ranges.
7. Click Save.

If you must allowlist Acquia’s IP addresses for your websites or services, create a Support ticket to obtain the necessary information.