IP Lists

IP lists allow you to create allow and deny rules using IP addresses, IP address ranges, or CIDR blocks. These values in your rules will deny or allow access to your resources. For instructions on selecting or creating IP lists, see the in-application help pop-ups.

Overview of IP Lists

After you define an IP list, you can use it in rulesets to create rules for traffic flows. When you provision the rulesets, the rules allow or deny traffic.

Rules that use IP lists are programmed on one side of the connection only. IP lists can be used as a destination and a source.

Examples of Different IP List Entries

Single IP

You can use IPv4 or IPv6.

Examples:

  • 127.0.0.1
  • 2001:0db8:0a0b:12f0:0000:0000:0000:0001

CIDR Block

Use a slash to indicate a CIDR Block.

Examples:

  • 192.168.100.0/24
  • 2620:0:860:2::/64

IP Ranges

Use a hyphen to indicate an IP range.

Example:

  • 10.0.0.0-10.255.255.255

Comments

Use a hash symbol to indicate a line comment.

Example:

  • 23.4.55.6 #Comment Text

Exclusions

Use an exclamation point to exclude an IP address, CIDR block or IP range.

The excluded IP addresses must be within the included IP range.

Examples:

  • !192.168.100.0/30
  • !3ffe:1900:4545:3:200:f8ff:fe21:67cf

More Information on IP List Exclusions

In IP lists, you can exclude certain IP addresses or subnets from a broader IP subnet.

For example, you might want to exclude a list of IP addresses within an IP range that should not access certain workloads. Or, you might want to open up a set of workloads to any IP address (0.0.0.0/0 and ::/0), but exclude a set of IP addresses that keep attempting unauthorized access to your workloads.

NOTE:

Any (0.0.0.0/0) refers to IP addresses not associated with resources.

When you use an IP list with exclusions in a rule, any IP addresses that are marked as exclusions are not allowed, while all the others in the IP list are allowed.

IP List Exclusions Caveat

To add an IP address or subnet exclusion, use an exclamation point followed by the IP address, CIDR block, or IP range as shown above. However, the following caveat applies when using the exclamation point:

  • For example, to add 192.16.0.0/12 as an allowed IP address but exclude an IP address from this CIDR block, enter the following value, without the exclamation point:

    • 192.31.43.0-192.31.43.100
  • For example, to add a CIDR block but exclude a portion of the CIDR block, enter the following values:

    • 10.0.0.0/8
    • !10.1.0.0/24

    In this example, the first block would be included, and the second block would be excluded.