--- title: "IP access control" date: "2026-04-23T11:06:58+00:00" summary: image: type: "page" url: "/acquia-cloud-platform/add-ons/edge-standard/ip-access-control" id: "c8bbe062-e104-46a0-8d6a-df8ee2a5c34d" --- IP access control allows or blocks traffic based on the client’s IP address or IP range. You can use IP access control to: * Allow trusted internal or partner networks. * Block known malicious or unwanted sources. * Reduce false positives from rate limiting by allowlisting internal IPs. IP access control applies before other security features. If traffic is blocked by IP access control, it does not reach downstream protections. ### Accessing IP access control To manage IP access control: 1. In the Edge console, go to **Security**. 2. Select **Rule configuration**. 3. Select the _IP access control_ tab. The IP access control tab shows rules that apply across your domains, including: * Rule name * Type (Allow or Block) * IP addresses or ranges * Description (if configured) * Date created * Actions (Edit rule, Delete rule) ### How IP access control works IP access control rules evaluate incoming requests based on the client IP: * **Allow rules**: Explicitly allow traffic from the configured IPs or ranges. * **Block rules**: Explicitly block traffic from the configured IPs or ranges. Rules are evaluated in order of precedence: 1. Allow rules 2. Block rules 3. Other security features, such as rate limiting and WAF policies If an IP matches both an allow rule and a block rule, the allow rule takes precedence. Note IP access control does not replace other security features. It is primarily intended for trusted sources and clear-cut blocks such as a specific abusive IP. ### IP formats You can configure IP access control rules using: * Single IP addresses such as 203.0.113.10 * CIDR ranges such as 203.0.113.0/24 A CIDR range covers multiple IP addresses. Such as, 203.0.113.0/24 includes all IPs from 203.0.113.0 to 203.0.113.255. Use the narrowest range that meets your needs to avoid unintentionally allowing or blocking large networks. ### Create an allow rule Use an allow rule to prevent internal or partner traffic from being blocked by other protections, such as rate limiting. To create an allow rule: 1. In the Edge Console, go to **Security > Rule configuration > IP access control.** 2. Select **Create rule**. 3. In **Rule type**, select **Allow**. 4. In **IP addresses**, enter one or more IP addresses or CIDR ranges. 5. (Optional) Enter a Description that explains who or what uses these IPs. 6. Select **Create rule**. After saving, the rule deploys to the network. Traffic from the configured IPs is treated as trusted. Tip: Use allow rules for the following: * Corporate office egress IPs * VPN gateways * Monitoring tools and trusted partners ### Create a block rule Use a block rule to immediately stop traffic from known malicious or unwanted IPs or ranges. To create a block rule: 1. In the UI Console, go to Security > Rule configuration > IP access control. 2. Select Create rule. 3. In Rule type, select Block. 4. In IP addresses, enter one or more IP addresses or CIDR ranges. 5. (Optional) Enter a Description that identifies the source, such as a known scanner. 6. Select Create rule. After saving, the rule deploys to the network. Traffic from the configured IPs is blocked at the edge. Warning Blocking large IP ranges can affect legitimate users who share public infrastructure such as cloud providers or mobile carrier networks. Use block rules conservatively. ### Edit an IP access control rule To edit an existing rule: 1. In the UI Console, go to Security > Rule configuration > IP access control. 2. In the row for the rule you want to change, select Actions > Edit rule. 3. Update the rule type (Allow or Block), IP addresses or ranges, and description as needed. 4. Select Update rule. The updated configuration is deployed to the network after you save. ### Delete an IP access control rule To delete a rule: 1. In the UI Console, go to **Security > Rule configuration > IP access control**. 2. In the row for the rule you want to remove, select **Actions > Delete rul**e. 3. Confirm that you want to delete the rule. Warning Deleting an allow rule removes its protection. Such as, if an internal VPN IP is no longer allowlisted, that traffic can once again be affected by rate limiting or other protections. ### Use IP access control with rate limiting IP access control and rate limiting are often used together: * Allow rules prevent internal or partner networks from being blocked when they naturally generate higher traffic, such as shared VPN IPs. * Rate limiting manages abusive or unexpected high‑volume traffic from the rest of the internet. ### Recommended pattern: * Configure IP access control to allowlist internal and critical partner IPs. * Configure one or more rate limiting rules (global and/or domain‑specific). * Monitor security metrics to confirm that: * Trusted sources are not blocked. * Untrusted sources are appropriately limited.