IP Address Restriction for Enterprise Customers

IP Address Restriction is an enterprise-level security feature available to customers with an Enterprise license. This feature allows you to restrict access to your Fluid instance so that only network traffic originating from specified IP addresses or IP address ranges is permitted.

This is particularly useful for organizations that want to ensure that Fluid can only be accessed from within their corporate network or through approved VPN connections.

When IP Address Restriction is enabled on your Fluid instance, the system will:

1. Check the IP address of every incoming request

2. Compare it against your configured whitelist of allowed IP addresses

3. Allow access only if the request comes from an approved IP address

4. Redirect or block requests from unauthorized IP addresses

This provides an additional layer of security beyond standard authentication, ensuring that even with valid credentials, users can only access Fluid from approved network locations.

Configuration

IP Address Restriction is configured at the instance level by the Fluid support team. The configuration accepts:

Single IP Addresses

You can specify individual IP addresses that should be allowed access. For example:

203.0.113.45,198.51.100.23

IP Address Ranges (CIDR Notation)

You can specify ranges of IP addresses using CIDR (Classless Inter-Domain Routing) notation. This is useful for allowing access from entire subnets or network blocks. For example:

- 192.168.1.0/24 - Allows all IP addresses from 192.168.1.0 to 192.168.1.255 (256 addresses)

- 10.0.0.0/16 - Allows all IP addresses from 10.0.0.0 to 10.0.255.255 (65,536 addresses)

- 172.16.0.0/12 - Allows all IP addresses from 172.16.0.0 to 172.31.255.255 (1,048,576 addresses)

Multiple Addresses and Ranges

You can combine multiple single IP addresses and ranges in your configuration. For example, your whitelist might include:

- 203.0.113.45 (Head office static IP)

- 198.51.100.0/24 (Branch office network range)

- 172.20.10.0/24 (VPN IP range)

This flexibility allows you to accommodate various network architectures and access patterns within your organization.

IPv4 and IPv6 Support

The IP Address Restriction feature supports both IPv4 and IPv6 addresses, accommodating modern network infrastructures.

Exceptions and Special Cases

Certain paths and functions are exempt from IP address restrictions to ensure critical functionality remains available:

- Authentication and impersonation endpoints

- API heartbeat/health check endpoints

- Static content (CSS, JavaScript, images)

- Integration Engine parsing endpoints

This ensures that system monitoring, integrations, and administrative functions can continue to operate.

Redirect Behaviour

When IP Address Restriction is enabled, you can optionally configure a redirect URL. This determines what happens when a user attempts to access Fluid from an unauthorized IP address:

For Web Browser Access

- If a redirect URL is configured, users will be redirected to that page (e.g., an information page explaining the restriction)

- If no redirect URL is configured, users will see a "403 Forbidden - IP Address not allowed" error

For API Access:

- API requests from unauthorized IPs will receive a JSON response with HTTP 403 status

- Response body: {"message": "IP Address not allowed"}

Use Cases

Common scenarios where IP Address Restriction is valuable:

Corporate Network Only Access

Restrict Fluid access to only users connected to your corporate network, ensuring that employees must be on-premises or connected via VPN to access project data.

VPN-Required Access

Configure IP restrictions to only allow connections from your VPN's IP address range, ensuring all remote access is authenticated through your VPN infrastructure.

Multi-Site Organizations

Allow access from multiple office locations by specifying each site's static IP address or network range.

Planning Your IP Address Whitelist

Before enabling IP Address Restriction, you should:

1. Identify All Access Points

- Compile a list of all office locations and their static IP addresses

- Document VPN IP ranges if remote access is required

- Consider mobile users and their access methods

2. Consider Future Growth

- Use CIDR ranges that allow for network expansion

- Plan for new office locations or network changes

3. Test Access Scenarios

- Verify users can access from all intended locations

- Confirm that excluded IP addresses are properly blocked

- Test both web browser and API access patterns

4. Plan for Exceptions

- Identify any users who may need access from non-standard locations

- Consider backup access methods for emergencies

5. Document Your Configuration

- Maintain records of which IPs/ranges are allowed and why

- Document the business purpose of each entry

- Keep contact information for network administrators who can provide updated IP information

This is a Premium Feature

IP Address Restriction is available only with Enterprise-level licenses. Contact your Fluid Customer Success Manager if you need to upgrade your license or have questions about pricing.

Requires Static IP Addresses or Known Ranges

This feature requires that your organization has static IP addresses or predictable IP address ranges. Organizations using dynamic IP addresses may not be able to use this feature effectively.

Does Not Replace Authentication

IP Address Restriction is a supplemental security control. Users must still authenticate with valid credentials; the IP restriction simply adds an additional network-level requirement.

Not for Whitelisting Fluid's IP Addresses

This feature is for restricting who can access your Fluid instance, not for whitelisting Fluid's outbound service IPs. Fluid uses Microsoft Azure's elastic infrastructure, which means Fluid's own IP addresses can change without notice. For firewall configuration, always use domain-based rules *.fluid.work) rather than IP-based rules.

Maintenance and Updates Required

Network infrastructure changes over time. You'll need to coordinate with the Fluid support team whenever your organization's IP addresses or network ranges change.

To enable IP Address Restriction on your Fluid instance:

1. Verify that your organization has an Enterprise-level license

2. Compile your list of IP addresses and/or CIDR ranges that should be allowed

3. Optionally, determine if you want to configure a redirect URL for blocked access attempts

4. Contact your Fluid Customer Success Manager or the Fluid support team at support@fluid.work

5. Provide your whitelist configuration

6. Work with the support team to schedule the configuration change

7. Test access from authorized and unauthorized locations to verify proper operation

The Fluid support team will configure the IP Address Restriction settings on your instance and coordinate with you to verify that access works as expected.

Users Cannot Access Fluid

If authorized users report being unable to access Fluid after IP Address Restriction is enabled:

- Verify that their current IP address is included in the whitelist

- Check if users are connecting through a VPN that may assign unexpected IP addresses

- Confirm that network infrastructure hasn't changed (new ISP, new routing, etc.)

- Contact Fluid support to review the configured whitelist

Third-Party Integrations

If you use integrations with external systems (e.g., Azure DevOps, Jira), ensure that webhook callbacks and API access from these systems are considered. In some cases, integration traffic may come from IP addresses different from your organization's network.

VPN IP Address Changes

If your organization changes VPN providers or VPN configurations, you must update the IP whitelist to reflect the new VPN IP ranges.