Firewall Traffic Rules
Control who can access your site based on their IP address or geographic location with Netlify’s Firewall Traffic Rules.
Rate limiting rules
Instead of completely blocking all traffic, you can set up rate limit rules. Learn more about rate limiting.
# Overview
As a Team Owner, you can create Firewall Traffic Rules to block or allow site traffic from specific IP addresses, countries, or subregions.
You can block an entire country, or a subregion, such as California or Crimea. Netlify supports subregions defined by the ISO standard. Learn more about ISO codes for subregions (also called subdivisions).
If an IP address is blocked, the site visitor is directed to a Netlify-branded 404 error page. Traffic rules are applied to sites before site authentication and other visitor access options.
You can standardize default traffic rules for all sites on your team or customize rules for a specific site. You can also apply distinct rules for published or unpublished deploys.
Team Owners can create and manage traffic rules, while Developers can only read traffic rules for sites they have access to.
When a Team Owner creates, updates, or removes a traffic rule, these actions are logged in the Team audit log.
# Published and unpublished deploys
You can optimize traffic rules for published or unpublished deploys.
A published deploy is the current live deploy at a site’s main URL. Once a different deploy becomes live at the site’s main URL, that deploy becomes the published deploy for that site.
An unpublished deploy can be a Deploy Preview, a branch deploy, or any other deploy not published at your main site URL, such as a new production deploy that has not published because you locked an older published deploy.
Learn more in our deploys docs.
# Use cases
Traffic rules are optimized for the following use cases:
- Meet compliance requirements by allowing or blocking specific IP addresses, countries, or subregions.
- Ensure site access for critical partners, such as for contractors and site crawlers, by allowing IP exceptions for specific IP addresses.
- Reduce site hosting costs and bandwidth usage by blocking specific IP addresses or geographic locations.
Traffic rule management is optimized for the following use cases:
- Standardize default traffic rules for your team for all new sites on a team and all existing sites that don’t have their own custom site traffic rules.
- Secure unpublished deploys, such as for Deploy Previews and branch deploys, by configuring traffic rules for unpublished deploys.
- Manage strict site access for an internal site by setting traffic rules for your internal site’s published deploys.
# Traffic rule inheritance
You can standardize traffic rules for a team’s sites so that all sites without their own custom rules will automatically inherit the team default rules.
You can also customize traffic rules for a specific site or apply the team default rules to a site that currently has site-specific custom traffic rules.
# Configure default traffic rules for sites in your team
As a Team Owner, you can standardize the default traffic rules you want all sites in your team to have.
Team default traffic rules apply to all sites in your team that do not have their own site-specific traffic rules. Custom traffic rules for a site override the default team rules. You can quickly switch a site’s traffic rules to the team default anytime.
To configure default traffic rules for your team:
Go to
.Choose whether to configure traffic rules for your site’s published or unpublished deploys. You can add/edit traffic rules for both types of deploys but only one deploy type at a time.
To add traffic rules, under Published deploys or Unpublished deploys, select Configure.
Select a baseline traffic setting to either block or allow all traffic for this deploy type by default.
Common setups
- For Block all traffic, we recommend you add an IP exception or geographic exception rule to ensure your team’s sites can still be accessed from desired IP addresses or geographic locations.
- For Allow all traffic, we recommend you add a geographic restriction or IP restriction rule to add some control over site traffic.
Add your traffic rules. For each traffic rule you add, include a custom traffic rule description that Team Owners and Developers can read.
Keep the following in mind as you create your rule set:
- If you want to add a subregion, add a relevant country first, then you’ll find a list of subregions associated with that country that are listed by the ISO subregion codes.
- You can target individual IP addresses or ranges of IP addresses. In both cases, use CIDR block notation. For example, a single IPv4 address should end with
/32, a single IPv6 address should end with/128, a range of IPv4 addresses should end with a prefix length between/0and/31, and a range of IPv6 addresses should end with a prefix length between/0and/127. - You can add up to 100 traffic rules for published deploys and another 100 traffic rules for unpublished deploys.
If your sites use a proxy, be sure to include your proxy’s IP address ranges in your Netlify traffic rules to ensure they work as expected.
Traffic rules take effect as soon as you save them. Traffic rules apply to existing and future deploys but do not apply to sites on your team with custom site-specific traffic rules.
# Configure traffic rules for a site
As a Team Owner, you can always customize traffic rules for a specific site. Custom traffic rules for a site always override the team’s default rules.
To configure traffic rules for a specific site:
Go to
.If your site has inherited team traffic rules, select Customize site rules. The team rules will still be in effect for this site until you save new traffic rules.
Choose whether to configure traffic rules for your site’s published or unpublished deploys. You can add/edit traffic rules for both but only one deploy type at a time.
To add traffic rules, under Published deploys or Unpublished deploys, select Configure.
Select a baseline traffic setting to either block or allow all traffic for this deploy type by default.
Common setups
- For Block all traffic, we recommend you add an IP exception or geographic exception rule to ensure your site can still be accessed from desired IP addresses or geographic locations.
- For Allow all traffic, we recommend you add a geographic restriction or IP restriction rule to add some control over site traffic.
Add your traffic rules. For each traffic rule you add, include a custom traffic rule description that Team Owners and Developers can read.
Keep the following in mind as you create your rule set:
- If you want to add a subregion, add a relevant country first, then you’ll find a list of subregions associated with that country that are listed by the ISO subregion codes.
- You can target individual IP addresses or ranges of IP addresses. In both cases, use CIDR block notation. For example, a single IPv4 address should end with
/32, a single IPv6 address should end with/128, a range of IPv4 addresses should end with a prefix length between/0and/31, and a range of IPv6 addresses should end with a prefix length between/0and/127. - You can add up to 100 traffic rules for published deploys and another 100 traffic rules for unpublished deploys.
If your site uses a proxy, be sure to include your proxy’s IP address ranges in your Netlify traffic rules to ensure they work as expected.
Traffic rules take effect as soon as you save them. Traffic rules apply to existing and future deploys for your site.
# Change custom site rules to team rules
If a Team Owner created custom traffic rules for your site, these rules override any team default traffic rules.
To adopt the team default traffic rules for your site instead, you can quickly switch your custom site traffic rules to team rules. Note that your site rules are not saved after switching to team rules.
To apply team rules to a site with custom rules:
Go to
.Select Apply team rules.
Did you find this doc useful?
Your feedback helps us improve our docs.