Use IP range based access control with access policies
IP range based access control creates access policies that allow access to Grafana Cloud services, like metrics or logs, only from specific IP subnets. Connections initiated from IP addresses that are not part of the configured subnets are denied during token validation.
CIDR notation is used to specify the IP subnets. Both IPv4 and IPv6 subnets are supported.
Note that CIDR notation does not allow for specifying individual IP addresses without a subnet mask. Therefore, to specify a single IP address, use the /32
subnet mask for IPv4 and /128
for IPv6.
IP range based access control can be configured using the Grafana Cloud Access Policies API or Grafana Cloud Access Policies page within a stack or on the Cloud Portal.
Set up IP range based access control
Caveats
- IP range-based access control is incompatible with the access policies applied to Grafana data sources.
- IP range based access control is supported by the endpoints matching any of the following patterns:
Note
Support for IP ranges is constantly expanded.
*-ap-northeast-0.grafana.net
*-ap-south-(0|1).grafana.net
*-ap-southeast-(0|1).grafana.net
*-au-southeast-(0|1).grafana.net
*-ca-east-0.grafana.net
*-eu-north-0.grafana.net
*-eu-west-(0|1|2).grafana.net
*-gb-south-0.grafana.net
*-sa-east-(0|1).grafana.net
*-us-central-0.grafana.net
*-us-central1.grafana.net
*-us-east-(0|1).grafana.net
*-us-east4.grafana.net
*-us-west-0.grafana.net
logs-prod-(004|005|008|011|014|015|016|017|019|022|027).grafana.net
logs-prod3.grafana.net
profiles-prod-(003|009|010|011|012|013|014).grafana.net