US flag signifying that this is a United States Federal Government website An official website of the United States government

Restricting users to trusted IP ranges

Restricting users to trusted IP ranges

You can configure to restrict users in a particular domain (e.g., from using services unless their requests originate from a trusted network location. You can use this feature to help your agency comply with the Trusted Internet Connections (TIC) Initiative while using For more context, see Meeting TIC requirements.

This feature only limits requests to services, such as the API accessed via the command line and the dashboard. This feature does not restrict requests directly to applications that you run on, though you can do that on your own.

Contact support to configure restrictions for your domain

Note: As of October 2017, this feature is not yet available, pending FedRAMP approval. If you want to configure this feature, create a ticket and our team will let you know our estimated timeline for approval.

Create a support ticket specifying the IP address ranges that are valid for your domain. Because address restriction applies to all users from your email domain, we will request confirmation from your agency CIO before changing the configuration.

Grant roles only to users from your restricted domain

To fully limit access to your apps and services, you must ensure that all users with roles in your orgs and spaces are using email addresses within your email domain. For example, if your email domain is but you grant access to a contractor whose email address is, the contractor will not be limited to your configured IP address ranges. We recommend you give contractors an e-mail address within your domain like, and grant roles to them using only that address.

Restricting access to your own applications

To limit requests to your own applications, you can modify your application logic directly. Alternatively, you can create a route service to act as a gatekeeper, then bind the gatekeeper to the routes bound to your application. The route service itself can be an application in that proxies according to your needs. For example, you can create a simple route service by deploying the Staticfile buildpack configured with a custom nginx.conf file.