Access Control

Access to services that use the TCP or UDP protocol can be restricted using allowlist rules. Only IP addresses or subnets that match a rule will be able to reach your service.

How It Works

When you add one or more allowlist rules to a service, only traffic from the specified IP addresses or subnets is allowed. All other traffic is blocked.

If no rules are configured, the service is open to all traffic (default behavior).

Adding a Rule

1. Navigate to your service settings
2. Find the Access Control section
3. Click Add Rule
4. Enter an IP address or CIDR range
5. Optionally add a comment to describe the rule (e.g. “Office VPN” or “CI server”)

CIDR Notation

Rules use CIDR notation to specify IP ranges:

Rule	What it matches
203.0.113.10	A single IP address
203.0.113.0/24	All IPs from 203.0.113.0 to 203.0.113.255 (256 addresses)
10.0.0.0/8	All IPs from 10.0.0.0 to 10.255.255.255

Common subnet sizes:

• /32 - single IP (same as specifying the IP without a prefix)
• /24 - 256 addresses (e.g. 192.168.1.0/24)
• /16 - 65,536 addresses (e.g. 172.16.0.0/16)

Managing Rules

You can update or delete existing rules at any time. Changes take effect shortly after saving.

Each rule can have an optional comment to help you remember what the rule is for, which is especially useful when managing multiple rules.

Note

Access control rules are only available for TCP and UDP services. HTTP services can use other methods like Basic Auth or private networking with NetBird or Twingate to restrict access.