The IP Restriction plugin restricts access to a Gateway Service or a Route by either allowing or denying IP addresses. This can help block malicious activity, such as spam or access to certain websites. Single IPs, multiple IPs, or ranges in Classless Inter-Domain Routing (CIDR) notation like 10.10.10.0/24 can be used. The plugin supports IPv4 and IPv6 addresses.
IP Restriction
Related Documentation
Made by
Kong Inc.
Supported Gateway Topologies
hybrid
db-less
traditional
Supported Konnect Deployments
hybrid
cloud-gateways
serverless
Compatible Protocols
grpc
grpcs
http
https
tcp
tls
tls_passthrough
udp
ws
wss
Tags
Related Resources
How does the IP Restriction plugin work?
You can configure the plugin with an allow list of IP addresses or ranges to allow and a deny list of IP addresses or ranges to reject. When only an allow list is configured, all IP addresses that aren’t on that list are rejected. Similarly, when only a deny list is configured, all IP addresses that aren’t on the deny list are accepted.
You can configure the plugin with both an allow and deny list. This can be useful if you want to allow a CIDR range but deny an IP address on that CIDR range.
How is the IP address determined?
The IP address is determined by the request header sent to Kong Gateway from downstream. In most cases, the header has the name X-Real-IP or X-Forwarded-For.
By default, Kong Gateway uses the header name X-Real-IP. If a different header name is required, it needs to be defined using the real_ip_header property in kong.conf. Depending on the network setup, the trusted_ips property may also need to be configured to include the load balancer IP address.