# Adding an IP allowlist An IP allowlist is a network security control that restricts access to your Cortex workspace based on the originating IP address of incoming requests. When enabled, only requests coming from IP addresses you've explicitly approved can reach your workspace; all others are blocked before they can authenticate. This adds a layer of defense beyond user credentials, ensuring that even if a password or session token is compromised, an attacker still cannot access your workspace from an unapproved network. IP allowlists are particularly useful for organizations that want to limit workspace access to trusted networks, such as a corporate office, a VPN, or a specific set of remote locations. You can specify individual IP addresses or entire ranges using [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), giving you flexibility to cover anything from a single machine to an entire subnet. By default, the allowlist is empty and all IP addresses are permitted access. As soon as you add your first entry, the workspace automatically switches to a deny-by-default posture: only the addresses on the allowlist can connect, and all others are rejected. There's no separate toggle to enable enforcement, as the presence of any entry activates the restriction. **Before you begin** A few things to keep in mind before configuring your allowlist: * **Add your own IP address first.** The allowlist activates the moment you save your first entry, so omitting your current IP will lock you out of the workspace. Cortex warns you before this happens, but as a best practice, add your own IP to the list before saving. * **Account for all trusted networks.** Make sure you've identified every network your users connect from, including corporate offices, VPN exit nodes, remote workers' home networks, and any third-party services or integrations that make requests to your workspace. * **Plan for dynamic IPs.** Home internet connections and some cloud services use IP addresses that change over time. For these, use a CIDR range that covers the expected pool, or require users to connect through a VPN with a static egress IP. You can configure an IP allowlist in the Cortex UI or via the Cortex API. Your user or API key must have the `Configure IP Allowlist` permission to perform these steps. ## Configuring an IP allowlist via the Cortex UI Follow the steps below to configure an IP allowlist in Cortex. 1. From the main sidebar, click your avatar in the bottom-left corner. 2. Click **Settings**. 3. From the **Settings** menu, locate the **Security and access** section, then click **IP allowlist**. 4. In the upper-right corner, click **Add IP addresses**. 5. In the **Add IP addresses to allowlist side** panel, do one of the following: * Enter a single IP address 1. Under IP addresses, enter a single IP address. 2. Optionally, enter a description of the IP address. 3. Optionally, click **Add more** to add another IP address. 4. Click **Add addresses**. * Enter multiple IP addresses 1. Toggle on **Bulk edit**. 2. In the Entries field, enter or paste a list of IP addresses (and optional descriptions). 3. Click **Add addresses**. {% hint style="warning" %} When you save the allowlist, Cortex checks whether your current IP is included. If it isn't, a warning appears before the change takes effect. This prevents you from accidentally locking yourself out of the workspace. {% endhint %} ## Configuring an IP allowlist via the API See the [IP allowlist API documentation](/api/readme/ip-allowlist.md) to learn more about creating an allowlist through the API. You can retrieve a range of addresses, update existing addresses, and validate your IP addresses. Note that Cortex checks whether your IP address is included in the allowlist to prevent you from losing access to your workspace. ## Troubleshooting and FAQ **Why do I see a** `403 Forbidden IP address` **error when running a Workflow?** Workflow steps that call the Cortex API fail if the request originates from an IP that isn't on your allowlist. Send a message to if you need further assistance. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cortex.io/configure/settings/ip-allowlist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.