Trusted IPs

Learn how to restrict access to your deployments to a list of trusted IP addresses.
Table of Contents

Trusted IPs are available on Enterprise plans

Those with the owner, member and admin roles can manage Trusted IPs

With Trusted IPs enabled at the level of your project, only visitors from an allowed IP address can access your deployment. The deployment URL will return 404 No Deployment Found for all other requests. Trusted IPs is configured by specifying a list of IPv4 addresses and IPv4 CIDR ranges.

Trusted IPs is suitable for customers who access Vercel deployments through a specific IP address. For example, limiting preview deployment access to your VPN. Trusted IPs can also be enabled in production, for example, to restrict incoming access to only requests through your external proxy.

Enabling Trusted IPs.
Enabling Trusted IPs.

The table below outlines key considerations and security implications when using Trusted IPs for your deployments on Vercel.

ConsiderationDescription
General Considerations
Environment ConfigurationCan be enabled for different environments. See Understanding Deployment Protection by environment
CompatibilityOperates as a required layer on top of Vercel Authentication and Password Protection.
Bypass MethodsCan be bypassed using Shareable Links and Protection Bypass for Automation
IP Address SupportSupports IPv4 addresses and IPv4 CIDR ranges
Prerequisites
Preview Environment RequirementsCan only be enabled in preview when Vercel Authentication is also enabled.
External Proxy ConfigurationRequires rulesets configuration to avoid blocking proxy IPs. Contact our sales team for more information
Security Considerations
Firewall PrecedenceVercel Firewall takes precedence over Trusted IPs
IP BlockingIPs or CIDRs listed in IP Blocking will be blocked even if listed in Trusted IPs
DDoS MitigationTrusted IPs do not bypass DDoS Mitigation unless configured
Deployment ImpactChanging the Trusted IPs list affects all deployments
Disabling Trusted IPsDisabling makes all existing deployments accessible from any IP

You can manage Trusted IPs through the dashboard, API, or Terraform:

  1. From your Vercel dashboard:

    1. Select the project that you wish to enable Trusted IPs for
    2. Go to Settings then Deployment Protection
  2. Ensure Vercel Authentication is enabled. See Managing Vercel Authentication.

  3. From the Trusted IPs section:

    1. Use the toggle to enable the feature
    2. Select the deployment environment you want to protect
    3. Enter your list of IPv4 addresses and IPv4 CIDR ranges with an optional note describing the address
    4. Finally, select Save

    All your existing and future deployments will be protected with Trusted IPs for that project. Visitors to your project deployments from IP addresses not included in your list will see a No Deployment Found error page.

You can manage Trusted IPs using the Vercel API endpoint to update an existing project with the following body

  • deploymentType
    • prod_deployment_urls_and_all_previews: Standard Protection
    • all: All Deployments
    • preview: Only Preview Deployments
    • production: Only Production Deployments
  • addresses: Array of addresses
    • value: The IPv4, or IPv4 CIDR address
    • note: Optional note about the address
    • protectionMode
      • additional: IP is required along with other enabled protection methods (recommended setting)
      • additional: IP is required along with other enabled protection methods
// enable / update trusted ips
{
  "trustedIps": {
      "deploymentType": "all" | "preview" | "production" | "prod_deployment_urls_and_all_previews",
      "addresses": { "value": "<value>"; "note": "<note>" | undefined }[],
      "protectionMode": "additional"
  }
}
// disbale trusted ips
{
  "trustedIps": null
}

You can configure Trusted IPs using trusted_ips in the vercel_project data source in the Vercel Terraform Provider.

Last updated on August 29, 2024