Skip to main content
IP allow list enables account access to be restricted to specific IP addresses or IP ranges. This feature is available to Enterprise customers only. When enabled, only requests from approved IP addresses can access the account. All other requests are blocked. This helps enhance security compliance and enforce network-level access controls. This feature is configured at the account level and applies to all users in the account.

Prerequisites

To manage the IP allow list, you must have the Manage IP Allow List permission. For more information, read Account roles.
By default, when adding the first IP address, the system pre-populates your current public IP address in the form so it can easily be added to the allow list.Enabling IP restrictions without adding your current public IP address will lock you out of your account.Before enabling restrictions:
  • Ensure your current public IP address is added to the allow list. You can find it by searching “What is my IP” in a search engine.
  • Confirm the IP entry is enabled.
  • Allow up to 15 minutes for changes to propagate before testing access.
If you are locked out, raise a support ticket to regain access. For more information, see Getting support.

Add an IP address to the allow list

  1. Open the Profile & Account menu in the bottom left corner.
  2. Select IP Allow List.
  3. Click Add IP Address.
  4. Enter a valid IP address or CIDR range.
  5. (Optional) Add a description to help identify the entry.
  6. Click Save.
The entry is added to the list and can be enabled, disabled, or deleted by using the options menu (three dots) on the right-hand side. For more information, read Managing the IP allow list.

Supported IP address formats

Both IPv4 and IPv6 formats are supported. IPv4 examples:
  • Single IP address: 203.0.113.45
  • CIDR range: 203.0.113.0/24
IPv6 examples:
  • Single IP address: 2001:db8::1
  • CIDR range: 2001:db8::/32

CIDR notation explained

CIDR (Classless Inter-Domain Routing) notation defines a range of IP addresses.
  • Single IPv4 address: Use /32
  • Example: 203.0.113.45/32
  • Single IPv6 address: Use /128
  • Example: 2001:db8::1/128
  • Range examples:
    • /24 (IPv4) allows 256 addresses.
    • /16 (IPv4) allows 65,536 addresses.

Not supported

The following formats can’t be allowlisted:
  • Private IP ranges:
    • 10.0.0.0/8
    • 172.16.0.0/12 → 172.31.0.0/12
    • 192.168.0.0/16
    • 100.64.0.0/10 (carrier-grade NAT)
    • fc00::/7 (IPv6 unique local)
    • fec0::/10 (IPv6 site-local, deprecated)
  • Loopback addresses:
    • 127.0.0.0/8
    • ::1
  • Special purpose addresses:
    • 169.254.0.0/16 / fe80::/10 (link-local)
    • 224.0.0.0/4 / ff00::/8 (multicast)
    • 0.0.0.0/8 / ::/128 (unspecified)
    • 255.255.255.255 (broadcast)
  • Wildcard notation (e.g., 203.0.*.*)
  • Dash-separated ranges (e.g., 203.0.113.1-203.0.113.20)
Only valid IPv4 or IPv6 addresses with optional CIDR notation are accepted.

Managing the IP allow list

After adding entries, you can:
  • Enable or disable individual IPs using the options menu (three dots) on the right-hand side.
  • Delete IP addresses and ranges.
  • Search by IP address, CIDR range, or description.

What happens when restrictions are enabled?

When IP restrictions are enabled:
  • Only requests from allowed IP addresses can access the account (UI and API).
  • All other requests are denied with a 403 Forbidden error.
  • Changes may take up to 15 minutes to propagate across all systems.

Troubleshooting

If you are unable to access your account after enabling IP restrictions:
  • Contact Matillion support by raising a support ticket. Support can:
    • Temporarily disable IP restrictions to restore access.
    • Add your current IP address to the allow list.

Changes not taking effect?

Allow up to 15 minutes for changes to propagate.

Unable to add IP address?

Verify that:
  • The IP address is valid IPv4 or IPv6 with optional CIDR notation that is correctly formatted.
  • The address is not in a private IP range.
  • No wildcard or dash ranges are used.