Adding an IP allowlist

An IP allowlist is a network security control that restricts access to your Cortex workspace based on the originating IP address of incoming requests. When enabled, only requests coming from IP addresses you've explicitly approved can reach your workspace; all others are blocked before they can authenticate. This adds a layer of defense beyond user credentials, ensuring that even if a password or session token is compromised, an attacker still cannot access your workspace from an unapproved network.

IP allowlists are particularly useful for organizations that want to limit workspace access to trusted networks, such as a corporate office, a VPN, or a specific set of remote locations. You can specify individual IP addresses or entire ranges using CIDR notation, giving you flexibility to cover anything from a single machine to an entire subnet.

By default, the allowlist is empty and all IP addresses are permitted access. As soon as you add your first entry, the workspace automatically switches to a deny-by-default posture: only the addresses on the allowlist can connect, and all others are rejected. There's no separate toggle to enable enforcement, as the presence of any entry activates the restriction.

Before you begin

A few things to keep in mind before configuring your allowlist:

• Add your own IP address first. The allowlist activates the moment you save your first entry, so omitting your current IP will lock you out of the workspace. Cortex warns you before this happens, but as a best practice, add your own IP to the list before saving.

• Account for all trusted networks. Make sure you've identified every network your users connect from, including corporate offices, VPN exit nodes, remote workers' home networks, and any third-party services or integrations that make requests to your workspace.

• Plan for dynamic IPs. Home internet connections and some cloud services use IP addresses that change over time. For these, use a CIDR range that covers the expected pool, or require users to connect through a VPN with a static egress IP.

You can configure an IP allowlist in the Cortex UI or via the Cortex API. Your user or API key must have the Configure IP Allowlist permission to perform these steps.

Configuring an IP allowlist via the Cortex UI

Follow the steps below to configure an IP allowlist in Cortex.

1. From the main sidebar, click your avatar in the bottom-left corner.

2. Click Settings.

3. From the Settings menu, locate the Security and access section, then click IP allowlist.

4. In the upper-right corner, click Add IP addresses.

5. In the Add IP addresses to allowlist side panel, do one of the following:

   • Enter a single IP address

     1. Under IP addresses, enter a single IP address.

     2. Optionally, enter a description of the IP address.

     3. Optionally, click Add more to add another IP address.

     4. Click Add addresses.

   • Enter multiple IP addresses

     1. Toggle on Bulk edit.

     2. In the Entries field, enter or paste a list of IP addresses (and optional descriptions).

     3. Click Add addresses.

Configuring an IP allowlist via the API

See the IP allowlist API documentation to learn more about creating an allowlist through the API. You can retrieve a range of addresses, update existing addresses, and validate your IP addresses.

Note that Cortex checks whether your IP address is included in the allowlist to prevent you from losing access to your workspace.

Troubleshooting and FAQ

Why do I see a 403 Forbidden IP address error when running a Workflow?

Workflow steps that call the Cortex API fail if the request originates from an IP that isn't on your allowlist. Send a message to help@cortex.io if you need further assistance.