IP Allowlist Enterprise

Restrict access to your Controlinfra organization by IP address. When enabled, only requests from allowed IP addresses can access your organization's data and APIs.

Overview

The IP allowlist is an Enterprise feature that adds a network-level security layer. Once enabled, any request from an IP not on the list receives a 403 Forbidden response.

Enabling the IP Allowlist

1. Go to Settings → Security
2. Find the IP Allowlist section
3. Toggle Enable IP Allowlist
4. Add at least one IP address or CIDR range before enabling

WARNING

Before enabling, make sure your current IP address is on the allowlist. Use the Add My IP button to add it automatically. If you lock yourself out, the organization owner can still update the allowlist (see Owner Bypass).

Adding IP Addresses

Single IP Address

1. Click Add IP
2. Enter the IP address (e.g., 203.0.113.42)
3. Optionally add a label (e.g., "Office VPN")
4. Click Save

CIDR Range

To allow an entire subnet:

1. Click Add IP
2. Enter the CIDR range (e.g., 10.0.0.0/8 or 203.0.113.0/24)
3. Add a label for identification
4. Click Save

Add My IP Button

Click the Add My IP button to automatically detect and add your current public IP address. This is useful when:

• Setting up the allowlist for the first time
• Working from a new location
• Verifying your current IP is included

Managing Entries

Action	Description
Add	Add a new IP or CIDR range
Edit	Update the label for an existing entry
Delete	Remove an IP or CIDR range from the allowlist

TIP

Label your entries descriptively (e.g., "NYC Office", "GitHub Actions", "VPN Exit Node") so you can identify them later.

Owner Bypass

The organization owner can always update the IP allowlist settings, even if their current IP is not on the list. This prevents permanent lockout scenarios.

How Owner Bypass Works

When the org owner makes a request to update IP allowlist settings specifically, the IP check is bypassed. All other API calls from the owner are still subject to the allowlist. This ensures:

• The owner can always fix a misconfigured allowlist
• Day-to-day access still requires an allowed IP
• The bypass is limited to allowlist management only

What Happens When Blocked

When a request comes from an IP not on the allowlist:

• Web UI: The user sees an access denied page explaining that their IP is not allowed
• API: Returns 403 Forbidden with a JSON error:

{
  "error": "Access denied",
  "message": "Your IP address is not on the organization's allowlist",
  "code": "IP_NOT_ALLOWED"
}

• CLI: Displays an error message with the blocked IP address

Common Configurations

Office Network Only

203.0.113.0/24    — Main office
198.51.100.0/24   — Branch office

Office + VPN

203.0.113.0/24    — Office network
10.8.0.0/16       — VPN subnet

Office + CI/CD

203.0.113.0/24    — Office network
140.82.112.0/20   — GitHub Actions

Best Practices

1. Always add your IP first — Use the "Add My IP" button before enabling the allowlist
2. Use CIDR ranges — Avoid adding individual IPs when a range covers your network
3. Label everything — Use descriptive labels so you know what each entry represents
4. Include CI/CD IPs — If you use the API from CI pipelines, add those IP ranges
5. Review regularly — Remove stale entries when employees leave or offices change
6. Test before enforcing — Have a second admin verify access after enabling

Next Steps

• SSO/SAML Setup — Additional security with single sign-on
• Organization Management — Manage members and roles
• Audit Logs — Track allowlist changes