News & Announcements

Introducing Netlify Firewall Traffic Rules: IP and Geo Restrictions for WAF Security

News & Announcements

Introducing Netlify Firewall Traffic Rules: IP and Geo Restrictions for WAF Security

Web applications and websites are common targets of malicious attacks. Firewall functionality, including blocking and allowing requests from specific IP addresses and geographic locations, is one of the powerful industry-standard principles of zero trust to help ensure only the appropriate visitors can access your web properties.

Mitigate web application vulnerabilities with Netlify Firewall Traffic Rules

Today, we are excited to announce the release of Netlify Firewall Traffic Rules. This new feature empowers Enterprise customers with Netlify High-Performance Edge to proactively control who can access their Netlify web properties based on the geographic location and IP address of the requestor, in real-time, to align with your business and security policy requirements.

With Firewall Traffic Rules, Netlify Team owners can now create and manage IP and geo restriction rules for their websites, directly from within the Neltify platform. These rules can be set at the team level for all sites, or per-team. Furthermore, discrete rules can be set for published and non-published site contexts, which means your team can combine level-3 traffic rule protection with level 7 site protection and apply it to unpublished content from unauthorized access easily from the Netlify UI. This means your team can now apply a layered approach to securing your Netlify infrastructure, tailored to your unique business needs.

Watch the 1-minute demo video

Configuring traffic rules is quick and easy, starting with simple, high-level “Allow All” and “Block All” traffic options that can be fine-tuned for more advanced needs with granular IP and geo restrictions and exceptions. These access controls enable your team to easily implement and maintain rules that fit your unique business policies.

Benefits of Netlify Firewall Traffic Rules

Netlify Firewall Traffic Rules offer your team an added layer of protection against malicious web attacks. By limiting access to your web properties, you can:

  • Protect non-published website updates from unwanted visitors prior to publication
  • Grant explicit website access for vendor and contractor networks
  • Block malicious traffic to production sites
  • Prevent visitors from accessing your sites from countries that do not adhere to your organization’s business policies
  • Control infrastructure bandwidth spend by blocking unwanted traffic from specific IPs, IP ranges, and countries.

Use cases and configurations for IP and geo blocking

Prevent visitor access from countries where you cannot conduct business

With Netlify Firewall Traffic Rules, you can easily and proactively restrict access to your website based on your visitors’ geographic location for all of your sites at the team level, or individually by site. For the purposes of this example, we’ll set this rule at the team level.

To configure, navigate to Team settings > Firewall > Traffic rules. Under Traffic rules, click “Configure” under Published deploys. With the “Allow all traffic” setting selected, expand the Geographic restrictions section and select “Add another geographic restriction”.

Where you can add geo restrictions to your web application firewall (WAF) traffic rules in the Netlify app UI

You can then select the country or countries which you wish to restrict traffic from.

List of countries which you can select to restrict traffic from

You can also provide a short description to the rule before saving to make it easier to review the geo blocking rules you have in place at a quick glance.

Short description providing context behind each geo restriction

Grant IP exceptions for visitor access from within blocked countries

Let’s say you have a contractor in one of the blocked countries that needs to access your sites. You can easily provide access to their IP address in the rules we configured above.

Click “Configure” under Published deploys and expand the IP exceptions section. Then select “Add another IP exception”.

Where you can add IP exceptions to your web application firewall (WAF) traffic rules in the Netlify app UI

You can then add the IP address for the user, or network, within one of the restricted countries to grant access to your site.

IP addresses for users or networks you'd like to grant access to your site, although within any of your geo restrictions

Providing a brief description makes it easy to see the purpose of the exception as well as provide other team members clear context for this traffic rule.

Short description providing context behind each IP exception

Restrict access to only requests routed through your external firewall

If your organization has requirements to protect all of its web properties behind an existing firewall, an easy way to help guarantee that only authorized traffic can make its way to your Netlify websites is to prevent traffic requests that originate from outside of your trusted network.

To do this, start by selecting “Configure” under Published deploys on the Firewall Traffic Rules view. From here, select “Block all traffic”, then expand the IP exceptions selection, and select “Add another IP exception”.

Add your Web Application Firewall (WAF) IP addresses here, give it a brief description, and click “Save”.

Where you can add authorized IP addresses behind an existing firewall with a short description providing context

Once configured, only traffic that comes through your firewall will be able to access your sites.

Example of the configuration to restrict access to requests routed through your external firewall in the Netlify app UI

Please note: We recommend using caution when using the "Block all traffic" setting, especially on published and/or production sites. With no exceptions defined, it will render your site(s) inaccessible to all requests.

Secure non-published deploys with default traffic rules

Another powerful capability of Firewall Traffic Rules is to prevent unwanted access to all of your non-published deploys (or even your Published deploys before officially launching).

To accomplish this, start by selecting “Config” under Unpublished deploys, then select “Block all traffic”. Click “Add another IP exception”, then add your team’s IP address and a brief description, then click “Save”.

Where you can add your team's IP addresses for access, while blocking all other traffic in the Netlify app UI

Once saved, only requests from the configured IP exception will be able to access your non-published deploys.

This is only the beginning of Netlify’s Firewall functionality

Current Netlify customers can learn more about how to implement and take full advantage in the Netlify Firewall Traffic Rules docs.

Already a Netlify customer? Tell us about other Firewall needs you’d like to see offered on our platform.

Not yet on Netlify? Talk with a Netlify team member and get a complimentary tailored walkthrough of the platform.

Keep reading

Recent posts

eBook cover

Better, faster, future-proof: Three keys to shipping stand-out digital experiences

Get my free copy