Private Connectivity for builds and functions
Use Private Connectivity to reduce the risk to your backend environment and improve compliance. With Private Connectivity, your builds and serverless functions will contact your backend from a specific set of IP addresses that you can allowlist.
# Overview
By default, the IP addresses that the build process and serverless functions use to connect to your systems will fluctuate when we scale up and down to handle variable loads. With Private Connectivity, you can count on the connections coming from a static set of IPs that never change. This is helpful when your backend, CMS, or self-hosted Git needs to be behind a firewall. You can allowlist the Private Connectivity IP addresses so that your builds and functions can contact your systems without opening up your backend to the whole internet.
Keep the following in mind when working with Private Connectivity:
- For builds, Private Connectivity is enabled at the team level and immediately applied to all of a team’s sites.
- For functions, Private Connectivity is first enabled at the team level and then requires further action at the site level to be applied.
- Private Connectivity for functions is available in two regions:
- us-east-2 - US East (Ohio)
- eu-central-1 - EU (Frankfurt)
- Local development still uses your local IP address when you test functions with
netlify dev
ornetlify functions:serve
or when you run builds withnetlify build
ornetlify deploy --build
. - Private Connectivity for builds also grants you access to static IP addresses for the Netlify API.
# Configure Private Connectivity
To get started with Private Connectivity, take the following steps:
Contact your account manager to enable Private Connectivity for your team. Let them know if you want Private Connectivity for only builds, only functions, or both.
Virtual private cloud for Netlify Functions
For further security, we can configure a custom virtual private cloud (VPC) for Functions. Please contact your solutions engineer to get started with a VPC.
Get the IP addresses for your private networks by going to
.Update the allowlists for your backend, CMS, or self-hosted Git to allow the Private Connectivity IP addresses.
Function requests can come from multiple IP addresses
If you’re using Private Connectivity for functions, note that the Netlify UI supplies multiple static IP addresses for each region and that you need to allowlist all of the static IP addresses for the region or regions you intend to use.
After Private Connectivity is enabled at the team level, all of the builds for all of your team’s sites will start using the private network automatically. For functions, a few more steps are required.
To make a site’s functions use the private network:
- Go to .
- Make sure your site’s Functions region is either us-east-2 or eu-central-1.
- Redeploy your site to make Private Connectivity for your functions take effect.
# Limitations
- Private Connectivity for builds does not apply to network requests from Visual Editor. As an alternative solution, if your code is hosted on-premise, Visual Editor App can support it by connecting to it with read-only permissions or by using an isolated and secure container running on Visual Editor’s cloud.
- Private Connectivity is not available for Edge Functions.
Did you find this doc useful?
Your feedback helps us improve our docs.