Skip to content
Netlify Docs

See what shipped at NTL DEPLOY. Try the new AI workflow →

Firewall Traffic Rules

The full functionality of this feature is available on Enterprise plans and requires High-Performance Edge.
For other plans, a subset of the funtionality is included. Learn more.

Overview

Section titled “Overview”

Create Firewall Traffic Rules to block or allow project traffic based on:

  • Client IP addresses and IP ranges.
  • Geolocation: an entire country, or a subregion of a country (such as California or Crimea) based on ISO codes for subregions.

If an IP address is blocked, the site visitor is directed to a Netlify-branded 404 error page. Traffic rules are applied to projects before authentication and other visitor access options.

Team and project-scoped capabilities

Section titled “Team and project-scoped capabilities”

Team Owners can:

  • Create and manage traffic rules.
  • Set default traffic rules across all projects in a team, or customize rules for a specific project.
  • Assign different rules can be applied for published and unpublished deploys.

Developers can only read traffic rules for projects they have access to.

Any changes to rules are logged in the Team audit log.

Published and unpublished deploys

Section titled “Published and unpublished deploys”

You can optimize traffic rules for published or unpublished deploys.

A published deploy is the current live deploy at a project’s main URL. Once a different deploy becomes live at the project’s main URL, that deploy becomes the published deploy for that project.

An unpublished deploy can be a Deploy Preview, a branch deploy, or any other deploy not published at your main project URL, such as a new production deploy that has not published because you locked an older published deploy.

Learn more in our deploys docs.

Use cases

Section titled “Use cases”

Firewall traffic rules are optimized for the following use cases:

  • Meet compliance requirements by allowing or blocking specific IP addresses, countries, or subregions.
  • Ensure project access for critical partners, such as for contractors and crawlers, by allowing IP exceptions for specific IP addresses.
  • Reduce project hosting costs and bandwidth usage by blocking specific IP addresses or geographic locations.

Traffic rule management is optimized for the following use cases:

  • Standardize default traffic rules for your team for all new projects on a team and all existing project that don’t have their own traffic rules.
  • Secure unpublished deploys, such as for Deploy Previews and branch deploys, by configuring traffic rules for unpublished deploys.
  • Manage strict access for an internal project by setting traffic rules for your internal project’s published deploys.

Rule inheritance

Section titled “Rule inheritance”

You can standardize traffic rules for a team’s projects so that all projects without their own custom rules will automatically inherit the team default rules.

You can also customize traffic rules for a specific project or apply the team default rules to a project that currently has project-specific custom traffic rules.

Configure default traffic rules for projects in your team

Section titled “Configure default traffic rules for projects in your team”

As a Team Owner, you can standardize the default traffic rules you want all projects in your team to have.

Team default traffic rules apply to all projects in your team that do not have their own project-specific traffic rules. Custom traffic rules for a project override the default team rules. You can quickly switch a project’s traffic rules to the team default anytime.

To configure default traffic rules for your team:

  1. Go to Team settings Access & security Firewall traffic rules.

  2. Choose whether to configure traffic rules for your project’s published or unpublished deploys. You can add/edit traffic rules for both types of deploys but only one deploy type at a time.

  3. To add traffic rules, under Published deploys or Unpublished deploys, select Configure.

  4. Select a baseline traffic setting to either block or allow all traffic for this deploy type by default.

  1. Add your traffic rules. For each traffic rule you add, include a custom traffic rule description that Team Owners and Developers can read.

    Keep the following in mind as you create your rule set:

    • If you want to add a subregion, add a relevant country first, then you’ll find a list of subregions associated with that country that are listed by the ISO subregion codes.
    • You can target individual IP addresses or ranges of IP addresses. In both cases, use CIDR block notation. For example, a single IPv4 address should end with /32, a single IPv6 address should end with /128, a range of IPv4 addresses should end with a prefix length between /0 and /31, and a range of IPv6 addresses should end with a prefix length between /0 and /127.
    • You can add up to 100 traffic rules for published deploys and another 100 traffic rules for unpublished deploys.

    Example of traffic rules configuration options. In this example, all traffic is allowed for published deploys for this project. Next, there's a traffic rule that blocks North Korea, Iran, Russia, and the subregion Crimea, as places where sales are prohibited. In addition, Germany is blocked and there's a traffic rule blocking a specific IP address for a known spammer. Finally there's a rule that makes an IP exception for a contractor that works in Germany.

  2. If your projects use a proxy, be sure to include your proxy’s IP address ranges in your Netlify traffic rules to ensure they work as expected.

Traffic rules take effect as soon as you save them. Traffic rules apply to existing and future deploys but do not apply to projects on your team with custom project-specific traffic rules.

Configure traffic rules for a project

Section titled “Configure traffic rules for a project”

As a Team Owner, you can always customize traffic rules for a specific project. Custom traffic rules for a project always override the team’s default rules.

To configure traffic rules for a specific project:

  1. Go to Project configuration Access & security Firewall traffic rules.

  2. If your project has inherited team traffic rules, select Customize project rules. The team rules will still be in effect for this project until you save new traffic rules.

  3. Choose whether to configure traffic rules for your project’s published or unpublished deploys. You can add/edit traffic rules for both but only one deploy type at a time.

  4. To add traffic rules, under Published deploys or Unpublished deploys, select Configure.

  5. Select a baseline traffic setting to either block or allow all traffic for this deploy type by default.

  1. Add your traffic rules. For each traffic rule you add, include a custom traffic rule description that Team Owners and Developers can read.

    Keep the following in mind as you create your rule set:

    • If you want to add a subregion, add a relevant country first, then you’ll find a list of subregions associated with that country that are listed by the ISO subregion codes.
    • You can target individual IP addresses or ranges of IP addresses. In both cases, use CIDR block notation. For example, a single IPv4 address should end with /32, a single IPv6 address should end with /128, a range of IPv4 addresses should end with a prefix length between /0 and /31, and a range of IPv6 addresses should end with a prefix length between /0 and /127.
    • You can add up to 100 traffic rules for published deploys and another 100 traffic rules for unpublished deploys.

    Example of traffic rules configuration options. In this example, all traffic is allowed for published deploys for this project. Next, there's a traffic rule that blocks North Korea, Iran, Russia, and the subregion Crimea, as places where sales are prohibited. In addition, Germany is blocked and there's a traffic rule blocking a specific IP address for a known spammer. Finally there's a rule that makes an IP exception for a contractor that works in Germany.

  2. If your project uses a proxy, be sure to include your proxy’s IP address ranges in your Netlify traffic rules to ensure they work as expected.

Traffic rules take effect as soon as you save them. Traffic rules apply to existing and future deploys for your project.

Change custom project rules to team rules

Section titled “Change custom project rules to team rules”

If a Team Owner created custom traffic rules for your project, these rules override any team default traffic rules.

To adopt the team default traffic rules for your project instead, you can quickly switch your custom project traffic rules to team rules. Note that your project rules are not saved after switching to team rules.

To apply team rules to a project with custom rules:

  1. Go to Project configuration Access & security Firewall traffic rules.

  2. Select Apply team rules.

Availability

Section titled “Availability”

Enterprise customers using High Performance Edge have full access to this feature.

Customers on all other plans have access only to a limited number of rules per project, with each rule limited to few client IP addresses or geolocations. If you don’t have High Performance Edge and an Enterprise plan, then you cannot set traffic rules for all projects on a team at once in the Netlify UI.

Here is the available functionality by account type:

FunctionalityCredit-Based or Legacy Free / Starter / Credit-based PersonalLegacy Pro / Credit-based Pro / EnterpriseEnterprise with HP Edge
Maximum rules per ruleset210500
Maximum IP addresses per rule350500
Maximum geolocations per rule350200
Separate ruleset for published & unpublished deploysYesYesYes
Team policies--Yes