Networking
Filtering traffic by IP address
Overview
By default, all traffic is allowed to visit your web servers on ports 80
, 443
, 8080
and 8443
. Traffic filtering caters for five exceptions to this:
- Explicitly white listing IP addresses
- Explicitly white listing traffic from certain countries
- Explicitly black listing IP addresses
- Explicitly black listing traffic from certain countries
- Forcing traffic to flow via your load balancer(s) rather than hitting servers directly
Cloud 66 also automatically rate limits IP addresses and will temporarily block an address that hits your application too often. Please read our Application Surge Protection guide for more details.
Allowing traffic (whitelisting)
Whitelisting is useful in cases where you need to lock down an application completely and only allow access for a specific IP (or range of IPs) or from specific countries.
To whitelist a list of IP addresses or IP address ranges:
- Open the Application Overview from your Dashboard
- Click on Network in the Application panel on the right of the screen
- Click on the Traffic tab at the top of the main panel
- Add the IP address or range to the Allowed Web Sources field
- Click Review changes and then Apply changes
IP addresses and ranges can be entered as comma separated lists. For example:
23.213.76.19
23.213.76.1/16
23.213.76.19,31.152.18.22,197.222.132.0/24
You can also add lists of addresses via URLs. The URL must point to either a txt
or JSON
formatted document. See our reference guide for more details.
Whitelisting by country
To whitelist a country or set of countries:
- Open the Application Overview from your Dashboard
- Click on Network in the Application panel on the right of the screen
- Select (or search) for the countries you wish to white list in the Only allow traffic from these Countries field
- Click Review changes and then Apply changes
Whitelisting vs Surge Protection
Whitelisting is not the same as removing Application Surge Protection. These are two separate lists with separate functions. A whitelisted IP could still be rate limited.
Denying traffic (blacklisting)
You can also blacklist specific IPs and/or ranges from visiting the ports mentioned above. To do so:
- Open the Application Overview from your Dashboard
- Click on Network in the Application panel on the right of the screen
- Click on the Traffic tab at the top of the main panel
- Add the IP address or range to the Deny Access From field
- Click Review changes and then Apply changes
You can test this by adding your own IP address to the Deny list and then trying to visit your application in the browser. If you've configured this correctly you will get a 403 Forbidden error from your app's Nginx proxy.
As above, you can enter IP addresses in comma separated lists, as ranges, or a combination. You can also add lists of addresses via URLs. The URL must point to either a txt
or JSON
formatted document. See our reference guide for more details.
Blacklisting by country
Works identically to whitelisting by countries above, except that it uses the Block traffic from these Countries field.