Using the IP block list

You can prevent specific IP addresses from accessing your service by adding them to a block list. Enabling this feature creates a condition and response that returns a 403 error to anyone trying to access the service from a blocked IP address. You can use this feature to prevent bad actors from interfering with the operation of your web application.

Enabling the IP block list

To enable the IP block list, follow the steps below:

  1. Web interface
  2. API
  1. Log in to the Fastly web interface.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also go to CDN > CDN Services or Compute > Compute Services to access a list of services by type.
  3. Click Edit configuration and then select the option to clone the active version.
  4. Click Settings.
  5. Click the IP block list switch to On.

    IP block list quick configuration

  6. Click Activate to deploy your configuration changes.

Blocking an IP address

To block an IP address, follow the steps below:

  1. Web interface
  2. API
  1. Click Add address.

  2. In the Address field, enter an IP address or subnet mask (a range of IP addresses) to block for this service. To add an exception for an IP address, use an exclamation point (for example, use !192.0.2.0 or !192.0.2.0/24).

  3. (Optional) In the Comment field, enter a comment that describes the IP address or subnet mask.

  4. Click Add. The IP address or subnet mask appears in the list. This addition will become effective immediately.

    an IP block list, complete with an IP address and a subnet mask, as it appears in the Fastly web interface

Editing a blocked IP address

You can edit a blocked IP address or subnet mask at any time. To edit an IP address or a subnet mask, follow the steps below:

  1. Web interface
  2. API
  1. Find the IP block list associated with your service in which the associated IP addresses or subnet masks appear. Because these entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
  2. In the IP block list area, hover your cursor over an entry, then click the pencil that appears.
  3. Edit the IP address, subnet mask, or comment as necessary.
  4. Click Save. The changes you make will be immediately applied to your configuration. If your IP block list has already been associated with a deployed service version, those changes will happen live.

Deleting an IP block list entry

You can delete individual entries in the IP block list at any time. To delete an IP address or subnet mask that was created via the web interface:

  1. Web interface
  2. API
  1. Find the IP block list associated with your service in which the associated IP addresses or subnet masks appear. Because these entries are versionless, the service version you choose doesn't matter.
  2. In the IP block list area, hover your cursor over an entry, then click the trash that appears.
  3. Click Confirm and delete.

Disabling the IP block list

The IP block list and its associated entries can be disabled in any unlocked service version. To disable the IP block list, follow the steps below:

  1. Web interface
  1. Find the IP block list associated with an unlocked version of your service.
  2. Click the IP block list switch to Off.
  3. Click Yes. This disables the block list and deletes all associated entries.
  4. Click Activate to deploy your configuration changes.

Creating other ACL types

If you need other types of ACLs, you'll need to create them in the Data page of the web interface.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.