Security /

Private Connectivity for builds and functions

This feature is available as an add-on to Core Enterprise plans and requires High-Performance Edge or High-Performance Build.

Use Private Connectivity to reduce the risk to your backend environment and improve compliance. With Private Connectivity, your builds and serverless functions will contact your backend from a specific set of IP addresses that you can allowlist.

# Overview

By default, the IP addresses that the build process and serverless functions use to connect to your systems will fluctuate when we scale up and down to handle variable loads. With Private Connectivity, you can count on the connections coming from a static set of IPs that never change. This is helpful when your backend, CMS, or self-hosted Git needs to be behind a firewall. You can allowlist the Private Connectivity IP addresses so that your builds and functions can contact your systems without opening up your backend to the whole internet.

Private Connectivity uses separate private networks for builds and functions. All requests to your backend from builds and functions come through these private networks before responses are sent to the CDN and served to users.

Keep the following in mind when working with Private Connectivity:

For builds, Private Connectivity is enabled at the team level and immediately applied to all of a team’s sites.
For functions, Private Connectivity is first enabled at the team level and then requires further action at the site level to be applied.
Private Connectivity for functions is available in two regions:
- us-east-2 - US East (Ohio)
- eu-central-1 - EU (Frankfurt)
Local development still uses your local IP address when you test functions with netlify dev or netlify functions:serve or when you run builds with netlify build or netlify deploy --build.

# Configure Private Connectivity

To get started with Private Connectivity, take the following steps:

Contact your account manager to enable Private Connectivity for your team. Let them know if you want Private Connectivity for only builds, only functions, or both.

Virtual private cloud for Netlify Functions

For further security, we can configure a custom virtual private cloud (VPC) for Functions. Please contact your solutions engineer to get started with a VPC.
Get the IP addresses for your private networks:
- For builds, ask your account manager.
- For functions, go to
  Team settings General Team details Private Connectivity
  .
Update the allowlists for your backend, CMS, or self-hosted Git to allow the Private Connectivity IP addresses.

Function requests can come from multiple IP addresses

If you’re using Private Connectivity for functions, note that the Netlify UI supplies multiple static IP addresses for each region and that you need to allowlist all of the static IP addresses for the region or regions you intend to use.

After Private Connectivity is enabled at the team level, all of the builds for all of your team’s sites will start using the private network automatically. For functions, a few more steps are required.

To make a site’s functions use the private network:

Go to
Site configuration Build & deploy Continuous deployment Functions region
.
Make sure your site’s Functions region is either us-east-2 or eu-central-1.
Redeploy your site to make Private Connectivity for your functions take effect.

# Limitations

Private Connectivity for builds does not apply to network requests from Netlify Create. As an alternative solution, if your code is hosted on-premise, the Netlify Create App can support it by connecting to it with read-only permissions or by using an isolated and secure container running on Netlify Create’s cloud.
Private Connectivity is not available for Edge Functions.

Last updated: May 7, 2024

Did you find this doc useful?

Your feedback helps us improve our docs.