Articles

Netlify IP Restrictions: Allow and Block IP Ranges (2026)

April 18, 2026 3 min read

Netlify’s IP Restrictions feature lets you control who can access your site by specifying allowed and blocked IP addresses or ranges.

Here’s how it works and how to set it up.

Setting Up IP Restrictions

  1. Navigate to your site’s settings: In your Netlify dashboard, select the site you want to configure. Go to Site settings > Access control > IP address restrictions.

  2. Add IP addresses or ranges:

    • Allow specific IPs: To grant access to particular IP addresses, click Add IP address and enter the IP. For example, 192.168.1.100.
    • Allow IP ranges: You can also allow entire subnets using CIDR notation. For example, 192.168.1.0/24 will allow all IPs from 192.168.1.0 to 192.168.1.255.
    • Block specific IPs/ranges: Similarly, you can block access from specific IPs or ranges. Click Add IP address and prepend the IP or range with !. For example, !10.0.0.5 will block a single IP, and !10.0.0.0/8 will block the entire 10.x.x.x range.

  3. Save your changes: After adding your IPs and ranges, click Save.

How Netlify Handles IP Restrictions

When a request comes to your Netlify site, Netlify checks the incoming IP address against your configured rules.

  • If the IP is explicitly allowed, the request proceeds.
  • If the IP is explicitly blocked, the request is denied with a 403 Forbidden response.
  • If you have any IP restrictions configured (either allow or block), and the IP is not explicitly allowed, it will be denied by default. This is a crucial point: if you start with an "allow list," all other IPs are implicitly blocked.

Example Scenario

Let’s say you want to restrict access to your staging site so only your office IP address (203.0.113.10) and your home IP address (198.51.100.50) can access it. You also want to block a specific malicious IP (192.0.2.1).

Your configuration would look like this:

  • Allow:
    • 203.0.113.10
    • 198.51.100.50
  • Block:
    • !192.0.2.1

With this setup:

  • Requests from 203.0.113.10 and 198.51.100.50 will be allowed.
  • Requests from 192.0.2.1 will be blocked.
  • Requests from any other IP address (e.g., 1.1.1.1) will also be blocked because they are not on the explicit allow list.

Important Considerations

  • Dynamic IPs: If your IP address changes frequently (common with home internet connections), you’ll need to update your Netlify configuration regularly. Services that provide dynamic DNS can help, but you’ll need to manage the updates.
  • CIDR Notation: Understanding CIDR notation is essential for managing ranges efficiently.
    • /32 is a single IP address (e.g., 192.168.1.100/32 is the same as 192.168.1.100).
    • /24 covers 256 addresses (e.g., 192.168.1.0/24 covers 192.168.1.0 through 192.168.1.255).
    • /16 covers 65,536 addresses (e.g., 10.0.0.0/16 covers 10.0.0.0 through 10.0.255.255).
  • Order of Operations: Netlify processes rules based on specificity and the explicit allow/block directives. If an IP matches a block rule, it’s blocked unless it also matches a more specific allow rule. However, the general rule is: if you have any IP restrictions, an IP must be explicitly allowed to pass.
  • CDN vs. Origin: IP restrictions apply to the edge network. If you have backend functions or services that your Netlify site interacts with, you’ll need to implement IP restrictions on those services separately.

Troubleshooting

If you’re blocked unexpectedly, the most common culprit is a misunderstanding of the implicit deny rule. If you’ve added any IP restriction, all IPs not explicitly allowed will be blocked. Double-check that the IP you’re testing from is correctly listed in your "Allow" rules.

The next step after setting up IP restrictions is often managing access for different user roles or environments, which might involve Netlify’s Identity features or more granular branch deploys.

Want structured learning?

Take the full Netlify course →