IP access control allows or blocks traffic based on the client’s IP address or IP range. You can use IP access control to:
Allow trusted internal or partner networks.
Block known malicious or unwanted sources.
Reduce false positives from rate limiting by allowlisting internal IPs.
IP access control applies before other security features. If traffic is blocked by IP access control, it does not reach downstream protections.
Accessing IP access control
To manage IP access control:
In the Edge console, go to Security.
Select Rule configuration.
Select the IP access control tab.
The IP access control tab shows rules that apply across your domains, including:
Rule name
Type (Allow or Block)
IP addresses or ranges
Description (if configured)
Date created
Actions (Edit rule, Delete rule)
How IP access control works
IP access control rules evaluate incoming requests based on the client IP:
Allow rules: Explicitly allow traffic from the configured IPs or ranges.
Block rules: Explicitly block traffic from the configured IPs or ranges.
Rules are evaluated in order of precedence:
Allow rules
Block rules
Other security features, such as rate limiting and WAF policies
If an IP matches both an allow rule and a block rule, the allow rule takes precedence.
Note
IP access control does not replace other security features. It is primarily intended for trusted sources and clear-cut blocks such as a specific abusive IP.
IP formats
You can configure IP access control rules using:
Single IP addresses such as 203.0.113.10
CIDR ranges such as 203.0.113.0/24
A CIDR range covers multiple IP addresses. Such as, 203.0.113.0/24 includes all IPs from 203.0.113.0 to 203.0.113.255.
Use the narrowest range that meets your needs to avoid unintentionally allowing or blocking large networks.
Create an allow rule
Use an allow rule to prevent internal or partner traffic from being blocked by other protections, such as rate limiting.
To create an allow rule:
In the Edge Console, go to Security > Rule configuration > IP access control.
Select Create rule.
In Rule type, select Allow.
In IP addresses, enter one or more IP addresses or CIDR ranges.
(Optional) Enter a Description that explains who or what uses these IPs.
Select Create rule.
After saving, the rule deploys to the network. Traffic from the configured IPs is treated as trusted.
Tip: Use allow rules for the following:
Corporate office egress IPs
VPN gateways
Monitoring tools and trusted partners
Create a block rule
Use a block rule to immediately stop traffic from known malicious or unwanted IPs or ranges.
To create a block rule:
In the UI Console, go to Security > Rule configuration > IP access control.
Select Create rule.
In Rule type, select Block.
In IP addresses, enter one or more IP addresses or CIDR ranges.
(Optional) Enter a Description that identifies the source, such as a known scanner.
Select Create rule.
After saving, the rule deploys to the network. Traffic from the configured IPs is blocked at the edge.
Warning
Blocking large IP ranges can affect legitimate users who share public infrastructure such as cloud providers or mobile carrier networks. Use block rules conservatively.
Edit an IP access control rule
To edit an existing rule:
In the UI Console, go to Security > Rule configuration > IP access control.
In the row for the rule you want to change, select Actions > Edit rule.
Update the rule type (Allow or Block), IP addresses or ranges, and description as needed.
Select Update rule.
The updated configuration is deployed to the network after you save.
Delete an IP access control rule
To delete a rule:
In the UI Console, go to Security > Rule configuration > IP access control.
In the row for the rule you want to remove, select Actions > Delete rule.
Confirm that you want to delete the rule.
Warning
Deleting an allow rule removes its protection. Such as, if an internal VPN IP is no longer allowlisted, that traffic can once again be affected by rate limiting or other protections.
Use IP access control with rate limiting
IP access control and rate limiting are often used together:
Allow rules prevent internal or partner networks from being blocked when they naturally generate higher traffic, such as shared VPN IPs.
Rate limiting manages abusive or unexpected high‑volume traffic from the rest of the internet.
Recommended pattern:
Configure IP access control to allowlist internal and critical partner IPs.
Configure one or more rate limiting rules (global and/or domain‑specific).
Monitor security metrics to confirm that:
Trusted sources are not blocked.
Untrusted sources are appropriately limited.
IP access control
IP access control allows or blocks traffic based on the client’s IP address or IP range. You can use IP access control to:
Allow trusted internal or partner networks.
Block known malicious or unwanted sources.
Reduce false positives from rate limiting by allowlisting internal IPs.
IP access control applies before other security features. If traffic is blocked by IP access control, it does not reach downstream protections.
Accessing IP access control
To manage IP access control:
In the Edge console, go to Security.
Select Rule configuration.
Select the IP access control tab.
The IP access control tab shows rules that apply across your domains, including:
Rule name
Type (Allow or Block)
IP addresses or ranges
Description (if configured)
Date created
Actions (Edit rule, Delete rule)
How IP access control works
IP access control rules evaluate incoming requests based on the client IP:
Allow rules: Explicitly allow traffic from the configured IPs or ranges.
Block rules: Explicitly block traffic from the configured IPs or ranges.
Rules are evaluated in order of precedence:
Allow rules
Block rules
Other security features, such as rate limiting and WAF policies
If an IP matches both an allow rule and a block rule, the allow rule takes precedence.
Note
IP access control does not replace other security features. It is primarily intended for trusted sources and clear-cut blocks such as a specific abusive IP.
IP formats
You can configure IP access control rules using:
Single IP addresses such as 203.0.113.10
CIDR ranges such as 203.0.113.0/24
A CIDR range covers multiple IP addresses. Such as, 203.0.113.0/24 includes all IPs from 203.0.113.0 to 203.0.113.255.
Use the narrowest range that meets your needs to avoid unintentionally allowing or blocking large networks.
Create an allow rule
Use an allow rule to prevent internal or partner traffic from being blocked by other protections, such as rate limiting.
To create an allow rule:
In the Edge Console, go to Security > Rule configuration > IP access control.
Select Create rule.
In Rule type, select Allow.
In IP addresses, enter one or more IP addresses or CIDR ranges.
(Optional) Enter a Description that explains who or what uses these IPs.
Select Create rule.
After saving, the rule deploys to the network. Traffic from the configured IPs is treated as trusted.
Tip: Use allow rules for the following:
Corporate office egress IPs
VPN gateways
Monitoring tools and trusted partners
Create a block rule
Use a block rule to immediately stop traffic from known malicious or unwanted IPs or ranges.
To create a block rule:
In the UI Console, go to Security > Rule configuration > IP access control.
Select Create rule.
In Rule type, select Block.
In IP addresses, enter one or more IP addresses or CIDR ranges.
(Optional) Enter a Description that identifies the source, such as a known scanner.
Select Create rule.
After saving, the rule deploys to the network. Traffic from the configured IPs is blocked at the edge.
Warning
Blocking large IP ranges can affect legitimate users who share public infrastructure such as cloud providers or mobile carrier networks. Use block rules conservatively.
Edit an IP access control rule
To edit an existing rule:
In the UI Console, go to Security > Rule configuration > IP access control.
In the row for the rule you want to change, select Actions > Edit rule.
Update the rule type (Allow or Block), IP addresses or ranges, and description as needed.
Select Update rule.
The updated configuration is deployed to the network after you save.
Delete an IP access control rule
To delete a rule:
In the UI Console, go to Security > Rule configuration > IP access control.
In the row for the rule you want to remove, select Actions > Delete rule.
Confirm that you want to delete the rule.
Warning
Deleting an allow rule removes its protection. Such as, if an internal VPN IP is no longer allowlisted, that traffic can once again be affected by rate limiting or other protections.
Use IP access control with rate limiting
IP access control and rate limiting are often used together:
Allow rules prevent internal or partner networks from being blocked when they naturally generate higher traffic, such as shared VPN IPs.
Rate limiting manages abusive or unexpected high‑volume traffic from the rest of the internet.
Recommended pattern:
Configure IP access control to allowlist internal and critical partner IPs.
Configure one or more rate limiting rules (global and/or domain‑specific).
Monitor security metrics to confirm that:
Trusted sources are not blocked.
Untrusted sources are appropriately limited.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Edge Standard