Merge pull request #10203 from mendix/olu-access-restriction-oct25

OlufunkeMoronfolu · web-flow · commit 12aa2aa06fc4 · 2025-11-10T09:53:44.000+01:00
Update to the access restriction profile - Release Nov 9
diff --git a/content/en/docs/deployment/mendix-cloud-deploy/access-restrictions.md b/content/en/docs/deployment/mendix-cloud-deploy/access-restrictions.md
@@ -32,7 +32,7 @@ When configuring an access restriction profile, keep the following consideration
 
 * Access restriction profiles are configured at the application level. They can be reused in all the environments (for example test, acceptance, production) of an app.
 * Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both.
-* If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant access.
+* If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant or deny access.
 
 ### Configuring Access Restriction Profiles {#access-restriction}
 
@@ -54,7 +54,7 @@ To rename an access restriction profile. follow these steps:
 1. Locate the profile of interest from the **Access Restriction Profiles** page.
 2. Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon.
 3. Click **Edit**.
-4. In the edit page enter the new name.
+4. In the edit page enter the new **Profile Name**.
 5. Click **Save** to apply your changes.
 
 #### Specifying TLS Client Certificate Verification
@@ -81,23 +81,31 @@ Click **Save** to save the current certificate profile.
 Your CA for TLS client certificate verification should be different from the CA used to sign the SSL certificate configured for any custom domain of the app. Using the same CA for both can result in browsers requesting client certificates on all paths of your application.
 {{% /alert %}}
 
-#### Specifying IP Ranges {#ip-ranges}
+#### Configuring Allowed IP Ranges {#ip-ranges}
 
-You can specify a number of different IP ranges. Click **Create New Profile** to add a new IP range, or use **Edit** or **Delete** to modify an existing IP range.
+You can define IP profiles to specify which IP addresses or ranges are explicitly allowed to access your application.
 
-For each IP range, you can do the following:
+To manage these profiles:
 
-* Enter a **Profile  Name** 
-* Specify a range of addresses. Mendix Cloud supports both IPv4 and IPv6 format addresses.
+* In the **IP Filtering Profiles** section, click **Create New Profile** to add a new IP range
+* To modify an existing profile, select it and click **Edit**({{% icon name="pencil" %}})
+* To delete a profile, select it and click **Delete**({{% icon name="trash-can" %}})
 
-## Applying a Restriction to an Application Environment
+For each profile, specify the following details:
 
-To apply a restriction to a specific application environment, follow these steps:
+* **Profile Name**: Enter a descriptive name for the IP range
+* **IPv4/IPv6 range**: Enter the specific IP address range. Mendix Cloud supports both IPv4 and IPv6 formats
+
+Requests originating from an IP address within these allowed profiles will be granted access to your application.
+
+### Applying Access Restriction to an Application Environment
+
+To apply access restrictions to a specific application environment, follow these steps:
 
 1. From [Apps](https://sprintr.home.mendix.com), go to the app's **Environments** page.
 2. Click **Details** ({{% icon name="notes-paper-edit" %}}) on the desired environment.
 3. Go to the **Network** tab.
-4. The **Path Based Access Restrictions** section allows for applying access restrictions to a single environment.
+4. Navigate to the [Path Based Access Restrictions](/developerportal/deploy/environments-details/#path-based-restrictions) section to apply access restrictions to a single environment.
 
 {{% alert color="info" %}}
 
@@ -107,19 +115,73 @@ To apply a restriction to a specific application environment, follow these steps
 
 {{% /alert %}}
 
-### Default Settings
+#### Default Settings
 
 These are the default settings:
 
 * When deploying a deployment package to an environment using the **Deploy** or **Transport** functionality, paths representing known functionality in the Mendix version that is used are automatically added to the list of paths
 * All paths ending in `-doc` have a preset **Deny all access** profile set by default
 * All the remaining paths have no restriction applied by default
 
+## IP Restriction Profiles {#ip-restriction-profiles}
+
+IP restriction profiles allow you to deny access to your application from specific IP addresses or IP ranges. You can configure multiple profiles, each with a descriptive name that clearly reflects its purpose.
+
+To view or manage IP restriction profiles, follow these steps:
+
+1. From [Apps](https://sprintr.home.mendix.com), go to your app's **Environments** page.
+2. Click **Cloud Settings** ({{< icon name="settings-slider-1" >}}) from any of the [available tabs](/developerportal/deploy/environments/#available-tabs) to open the **Manage Cloud Settings** page.
+3. Switch to the **IP Restriction Profiles** tab.
+
+When configuring an IP restriction profile, keep the following considerations in mind:
+
+* IP restriction profiles are configured at the application level. They can be reused in all the environments (for example test, acceptance, production) of an app.
+* IP restriction profiles can contain any number of IPv4 or IPv6 address ranges
+
+### Configuring IP Restriction Profiles {#access-restriction}
+
+To configure IP restriction profiles, from the **IP Restriction Profiles** page, you can either:
+
+* Create a new profile by clicking **New Profile**
+* Modify an existing profile by selecting the profile:
+    * Click the **More Options** ({{% icon name="three-dots-menu-horizontal" %}}) icon
+    * Click the **Edit** option to modify the profile
+    * Click **Delete** to delete an existing certificate profile
+    * Click **Clone** to copy and duplicate an existing certificate profile
+
+When you create or edit a profile, you can add IP ranges as described below.
+
+#### Configuring Denied IP Ranges {#denied-ip-ranges}
+
+You can define IP profiles to specify which IP addresses or ranges are explicitly denied access to your application.
+
+To manage these profiles:
+
+* Click **Create New Profile** to add a new IP range
+* To modify an existing profile, select it and click **Edit**({{% icon name="pencil" %}})
+* To delete a profile, select it and click **Delete**({{% icon name="trash-can" %}})
+
+For each profile, specify the following details:
+
+* **Profile Name**: Enter a descriptive name for the IP range
+* **IPv4/IPv6 range**: Enter the specific IP address range. Mendix Cloud supports both IPv4 and IPv6 formats
+
+Requests originating from an IP address within these denied profiles will be blocked from accessing your application.
+
+### Applying IP Restriction to an Application Environment
+
+To apply IP restrictions to a specific application environment, follow these steps:
+
+1. From [Apps](https://sprintr.home.mendix.com), go to the app's **Environments** page.
+2. Click **Details** ({{% icon name="notes-paper-edit" %}}) on the desired environment.
+3. Go to the **Network** tab.
+4. Navigate to the [IP Access Restrictions](/developerportal/deploy/environments-details/#ip-access-restrictions) section to apply access restrictions to a single environment.
+
 {{% alert color="info" %}}
 Following the migration from Cloud Foundry to Kubernetes, access rule violations are now logged in the **Access Log** instead of the **App Log**. For more details on logs, refer to the [Apps Deployed to Mendix Cloud](/developerportal/operate/logs/#apps-deployed-to-mendix-cloud) section of *Logs*.
 {{% /alert %}}
 
-## Use Cases for Access Restrictions
+## Use Cases {#use-cases-for-access-restrictions}
 
 Two scenarios in which you can use access restrictions are described below.
 
@@ -134,7 +196,7 @@ To restrict access to the app to an IP range, follow these steps:
 3. Switch to the **Access Restriction Profiles** tab.
 
 4. Create an access restriction profile.
-5. Add one or more IP ranges to the access restriction profile.
+5. Add one or more IP ranges to the **Denied IP Profiles**.
 
 6. Save the access restriction profile.
 7. Go to the **Deploy** tab of the **Environments** page. Click **Details** ({{% icon name="notes-paper-edit" %}}) on the desired environment.
diff --git a/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md b/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md
@@ -373,6 +373,19 @@ IP addresses must be within the following ranges:
 | 172.32.0.0  | 192.167.255.255 |
 | 192.169.0.0 | 255.255.255.255 |
 
+### IP Access Restrictions {#ip-access-restrictions}
+
+You can define IP profiles to deny access to your application from specific IP addresses or ranges.
+
+The **IP Access Restrictions** overview contains the following information:
+
+* **Current Restriction Profile**
+* **New Restriction Profile**
+
+You can also **Delete**, **Add**, or **Edit** an IP based access restriction.
+
+For more information, refer to the [IP Restriction Profile](/developerportal/deploy/access-restrictions/#ip-restriction-profiles) section of *Restricting Access for Incoming Requests*.
+
 ### Path-Based Access Restrictions {#path-based-restrictions}
 
 You can restrict access to your application using Client Certificates or IP ranges.
@@ -394,7 +407,7 @@ You can **Delete** a path or you can **Add** and **Edit** a path with the follow
 * Custom Profile for Client Certificates and/or IP ranges
 * N/A (inherit)
 
-For more information, see [How to Restrict Access for Incoming Requests](/developerportal/deploy/access-restrictions/).
+For more information, refer to the [Access Restriction Profiles](/developerportal/deploy/access-restrictions/#access-restriction-profiles) section of *Restricting Access for Incoming Requests*.
 
 ### Outgoing Connections Certificates
 
