Manage IP access list
The documentation only applies to instances deployed on Alokai@Edge.
IP access lists allow you to control traffic by allowing or blocking requests based on client IP addresses. This feature is often used to secure staging environments, internal dashboards, or to limit access to trusted networks only.
You can define two types of lists:
- Allowed list - only requests originating from the listed IP addresses are permitted. All others are blocked.
- Blocked list - requests originating from the listed IP addresses are denied. All others are allowed.
Configuration
General behavior
- Lists are disabled by default and cannot be enabled when empty.
- Only one list (Allowed or Blocked) can be enabled at a time.
- You can add entries to a list regardless of whether it is currently enabled or disabled.
- Both IPv4 and IPv6 addresses are supported.
- Changes (adding, removing, enabling, or disabling) may take a few minutes to propagate.
Steps
- Choose the list type you want to use: Allowed or Blocked.
- Add entries to the list: provide IP addresses in IPv4 (
192.0.2.1
), IPv6 (2001:db8::1
), or CIDR range (198.51.100.0/24
). - Enable the list once it contains at least one entry.
Keep in mind that adding only an IPv4 address may not be sufficient – if clients also connect over IPv6, you should add the corresponding IPv6 address to ensure consistent blocking.
Notes
- The Allowed list acts as a whitelist – any IP not on the list will be blocked.
- The Blocked list denies only the listed IPs – all other requests are permitted.
- Be careful not to lock yourself out – always include your own IP when enabling the Allowed list.
- To update an entry, delete it first and then add a new one – editing is not supported.
- To remove the last element from a list, you must disable the list first.
CIDR format
You can add a subnet mask after the IP address using /
. If omitted, a /32
is assumed by default, allowing only that single IP. Read more about CIDR format.
IP allow list & other security features
Basic Auth
When Basic Auth and the IP access list are enabled simultaneously:
- For addresses on the IP allow list, Basic Auth is not required.
Order of processing security features
Security feateures processing sequence is describled in separete document.
Best practices
Secure staging or admin environments
- Restrict access to development, testing, or admin panels to specific corporate or VPN IPs.
Combine with Basic Auth for layered security
- Use the IP access list to limit exposure and Basic Auth as an additional protection for users outside your trusted network.
Keep entries up to date
- Review the list regularly and remove obsolete IPs. Rotate addresses if your ISP or VPN provider changes them.
Avoid overly broad ranges
- Restricting by large subnets (e.g.,
/8
) may reduce security and defeat the purpose of an allowlist.
Examples
Correct usage
- Single IPv4:
203.0.113.42
- Single IPv6:
2001:db8::1
- Corporate subnet (CIDR):
198.51.100.0/24
Incorrect usage
- Empty list (cannot be enabled).
- Invalid format:
203.0.113.999
(out of IPv4 range).