Skip to main content

IP Restrictions


The IP Restrictions module allows or denies traffic based on the source IP of the connection that was initiated to your ngrok endpoints. You define rules which allow or deny connections from IPv4 or IPv6 CIDR blocks.

A connection is allowed only if its source IP matches at least one rule with an 'allow' action and does not match any rule with a 'deny' action.

Example Usage

Allow TCP connections from and but not from

ngrok http 80 --cidr-allow --cidr-allow --cidr-deny


Rule Evaluation

A connection is allowed only if its source IP matches at least one rule with an 'allow' action and does not match any rule with a 'deny' action.

When using Edges and the Kubernetes Ingress Controller, if the IP Restrictions module references multiple IP Policies, then the rules of all referenced IP Policies are unioned together for evaluation.


ngrok supports IPv6 addresses for all IP rules. You may use standard abbreviated notations.

ngrok http 80 --allow-cidr "::/0" --deny-cidr "2600:1f16:d83:1202::6e:2/128"

Don't forget to create IPv6 rules. It's easy to test only with IPv4 and then suddenly things don't work when your software starts using IPv6 because you've forgotten to create rules to allow traffic from IPv6 addresses.


The IP Restrictions always evaluates its rules against the layer 4 source IP of a connection. HTTP headers like forwarded-for are never consulted by this module.



Agent Configuration
Allow CIDRsA set of IPv4 and IPv6 CIDRs to allow.
Deny CIDRsA set of IPv4 and IPv6 CIDRs to deny.
Edge Configuration
IP Policy IDsA set of IP policies that will be used to check if a source IP is allowed access. See the HTTPS Edge IP Restrictions Module API Resource for additional details.

Upstream Headers

This module does not add any upstream headers.


The following errors are returned on HTTP endpoints.

CodeHTTP StatusError
ERR_NGROK_3205403This error is returned if a connection is disallowed by this module.


When the IP Restrictions module is enforced, it populates the following fields in both the http_request_complete.v0 and the tcp_connection_closed.v0 events.



IP Restrictions is an HTTPS Edge module which can be applied to Routes.

When using IP Restrictions via Edges, you specify a set of references to one or more IP Policy objects, each of which contains a list of IP Policy Rule objects.

IP Restrictions and the IP Policy and IP Policy Rule objects they reference can be configured via the ngrok dashboard or API.


This module is available on the Pro and Enterprise plans.

Try it out

First, grab your IPv4 and IPv6 addresses:

curl -4
curl -6

Then run ngrok with IP Restrictions with the IPv4 and IPv6 addresses you got in the previous step:

ngrok http 80 \
--domain \
--allow-cidr 2600:8c00::a03c:91ee:fe69:9695/32 \

Then make requests to your ngrok domain using the -4 and -6 flags to test both IPv4 and IPv6:

curl -4
curl -6