IBM Cloud Docs
Allowing specific IP addresses

Allowing specific IP addresses

By default, all IP addresses can be used to log in to the IBM Cloud® console and access classic infrastructure APIs. You can specify which IP addresses have access and which IP addresses are restricted. You can specify this access at the user level or at the account level. Currently, only public IP addresses are supported.

Before you begin

  • If an IP address restriction is defined for both the account and the user, the IP address needs to match both specifications to be able to generate an IAM token.
  • When you allow only specific IP addresses to access an IBM Cloud account, users can't access the IBM Cloud Shell CLI. This is because the Cloud Shell is hosted on a shared platform that can't satisfy the IP address allowlist.

Allowing specific IP addresses for a user

If you are assigned the following access, you can update the restricted IP addresses for another user:

  • An IAM policy with the Editor or higher role on the User management service.
  • You are an ancestor in the classic infrastructure hierarchy for the user and you have the Manage users classic infrastructure permission assigned

If you have the User-managed login setting that is enabled on your User details page, you can manage this setting for yourself.

To restrict a user to using only specific IP addresses, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Users.

  2. Select a user from the list.

  3. From the User details page, go to the IP address restrictions section.

  4. For Cloud platform, enter the IP addresses. The IP addresses listed are the only ones from which this user can log in to IBM Cloud®.

  5. For Classic infrastructure, enter the IP addresses. The IP addresses listed are the only ones from which the user can call a classic infrastructure API.

    You can enter a single IP address 17.5.7.8, an IP address range 17.5.7.8 - 17.5.9.5, or IP subnets 17.5.7.8.0/16. Make sure to use IPv4 or IPv6 addresses, and to separate multiple values with a comma. If there is already an IP address restriction that exists, the resource overrides the restriction.

  6. Click Save.

To enter a classic infrastructure IP address, the user must have already created a classic infrastructure API key.

Allowing specific IP addresses for an account

If you are assigned the following access, you can update the restricted IP addresses for an account:

  • An IAM policy with the Editor, Operator, or Administrator role on the IAM identity service.

To restrict all users to using only specific IP addresses, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Settings.

  2. From the Account section, enable Restrict IP address access.

  3. Enter the IP addresses. The IP addresses listed are the only ones from which users in the account can log in to IBM Cloud®. You can enter a single IP address 17.5.7.8, an IP address range 17.5.7.8 - 17.5.9.5, or IP subnets 17.5.7.8.0/16, or a network zone networkZoneName. Make sure to use IPv4 or IPv6 addresses, and to separate multiple values with a comma. If there is already an IP address restriction that exists, the resource overrides the restriction.

  4. Click Save.

Allowing specific IP addresses for an account by using Terraform

If you are assigned the following access, you can update the restricted IP addresses for an account:

  • An IAM policy with the Editor, Operator, or Administrator role on the IAM identity service.

To restrict all users to using only specific IP addresses, complete the following steps:

  1. In your Terraform configuration file, find the Terraform code that you used to create the iam_account_settings_instance.

  2. Enter the IP addresses that you want to restrict all users to using. The IP addresses listed are the only ones from which users in the account can log in to IBM Cloud®.

     resource "ibm_iam_account_settings" "iam_account_settings_instance" {
       allowed_ip_addresses = "17.5.7.8, 17.5.7.8 - 17.5.9.5, 17.5.7.8.0/16"
    }
    
  3. Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.

    1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.

      terraform plan
      
    2. Run terraform apply to create the resources that are defined in the plan.

      terraform apply
      

For more information, see the Terraform documentation.

You can enter a single IP address 17.5.7.8, an IP address range 17.5.7.8 - 17.5.9.5, or IP subnets 17.5.7.8.0/16, or a network zone networkZoneName. Make sure to use IPv4 or IPv6 addresses, and to separate multiple values with a comma. If there is already an IP address restriction that exists, the resource overrides the restriction.