> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Controlling Access with IP Restrictions

> Configure IP restrictions in Kubernetes to allow or deny access based on source IP addresses using allow lists or deny lists.

Instead of denying requests based on request properties like headers or paths, you may need to restrict access based on the request's source IP address.

By defining allow lists (permitting only specific IP ranges) or deny lists (blocking unwanted IPs), you can:

🛡 Enhance security by blocking malicious IPs or untrusted networks. <br />
🚀 Limit access to internal or private resources. <br />
⚡ Prevent API abuse by restricting access to known users or organizations. <br />

## 🔍 What are the benefits of restricting IPs?

IP-based restrictions provide a simple yet effective security mechanism that doesn't require authentication tokens or additional request validation.

Key Benefits:

* **Block Malicious or Unauthorized Traffic:** Stop unwanted requests before they reach your backend.
* **Restrict Access to Internal Users:** Ensure only approved teams or offices can reach private APIs.
* **Reduce Attack Surface:** Prevent access from high-risk geographies or known malicious networks.
* **Enforce Compliance Policies:** Meet regulatory requirements by restricting access to specific locations.
* **Lightweight and Efficient:** No need for complex authentication mechanisms—filter requests at the network edge.

## IP restriction examples

The following examples restrict access to specific IP addresses using the restrict-ips action.

Check out the [IP restriction policy action](/traffic-policy/actions/restrict-ips/) page for more details about how it functions and the parameters it accepts.

<Tabs>
  <Tab title="AgentEndpoint">
    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: AgentEndpoint
    metadata:
      name: example-agent-endpoint
    spec:
      url: https://example-hostname.ngrok.io
      upstream:
        url: http://my-service.my-namespace:8080
      trafficPolicy:
        inline:
          on_tcp_connect:
            - actions:
                - type: restrict-ips
                  config:
                    enforce: true
                    allow:
                      - 1.1.1.1/32
                    deny:
                      - e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128
    ```
  </Tab>

  <Tab title="CloudEndpoint">
    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: CloudEndpoint
    metadata:
      name: example-cloud-endpoint
    spec:
      url: https://example-hostname.ngrok.io
      trafficPolicy:
        policy:
          on_tcp_connect:
            - actions:
                - type: restrict-ips
                  config:
                    enforce: true
                    allow:
                      - 1.1.1.1/32
                    deny:
                      - e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128
    ```
  </Tab>

  <Tab title="Ingress">
    💡 `Ingress` resources do not natively support IP-based restrictions, but they can be extended using a Traffic Policy.

    ### 1. Create an `NgrokTrafficPolicy`

    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: NgrokTrafficPolicy
    metadata:
      name: example-tp
      namespace: default
    spec:
      policy:
        on_tcp_connect:
          - actions:
              - type: restrict-ips
                config:
                  enforce: true
                  allow:
                    - 1.1.1.1/32
                  deny:
                    - e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128
    ```

    ### 2. Use the `NgrokTrafficPolicy` on an `Ingress`

    ```yaml theme={null}
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        k8s.ngrok.com/traffic-policy: example-tp
      name: example-ingress
      namespace: default
    spec:
      ingressClassName: ngrok
      rules:
        - host: example-hostname.ngrok.io
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: example-service
                    port:
                      number: 80
    ```
  </Tab>

  <Tab title="Gateway API">
    💡 Gateway API resources do not natively support IP-based restrictions, but they can be extended using a Traffic Policy.

    ### 1. Create an `NgrokTrafficPolicy`

    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: NgrokTrafficPolicy
    metadata:
      name: example-tp
      namespace: default
    spec:
      policy:
        on_tcp_connect:
          - actions:
              - type: restrict-ips
                config:
                  enforce: true
                  allow:
                    - 1.1.1.1/32
                  deny:
                    - e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128
    ```

    ### 2. Use the `NgrokTrafficPolicy` on a `Gateway`

    The following example showcases supplying the `NgrokTrafficPolicy` on a `Gateway` resource. All requests to the `Gateway` will run the Traffic Policy.
    If you prefer, `NgrokTrafficPolicy` can also be used on the route level by using an `externalRef` filter on an `HTTPRoute`. See the [using Gateway API guide](/k8s/guides/using-gwapi) for examples.

    ```yaml theme={null}
    apiVersion: gateway.networking.k8s.io/v1
    kind: Gateway
    metadata:
      name: example-gateway
      namespace: default
      annotations:
        k8s.ngrok.com/traffic-policy: example-tp
    spec:
      gatewayClassName: ngrok
      listeners:
        - name: example-hostname
          hostname: "example-hostname.ngrok.io"
          port: 443
          protocol: HTTPS
    ```
  </Tab>
</Tabs>
