STAGE 1 Enterprise Security Posture

IP Allowlisting

Control who can
even reach your services.

Before identity, before certificates, before zero-trust — the first and fastest way to reduce your attack surface is to make your services unreachable to everyone except the people and systems that need them.

See How It Works Implementation Guide
Complexity Low
Time to Deploy Hours → Days
Risk Reduction Immediate
Next Stage mTLS / X.509
Scroll Down

The Core Principle

You can't attack what you can't reach.

IP allowlisting is a network-layer control that restricts which source IP addresses can connect to a service at all — before any application code runs, before any authentication is attempted. It is the bluntest and most effective first line of defence for services that don't need to be publicly accessible.

Coarse-Grained

Not fine-grained, but that's the point. Entire networks of attackers are excluded before any application logic is touched.

Immediate Effect

A firewall rule or security group change takes minutes and instantly removes the service from the view of everyone outside the allowed range.

Operationally Simple

No certificates, no PKI, no identity infrastructure. A list of IPs in a security group or WAF rule is understandable by any team member.

Layerable

IP filtering is not a substitute for identity — it's the outer boundary that everything else sits inside. Stage 2 (mTLS) goes inside this perimeter.

IP allowlisting doesn't prove who someone is. It proves they're in the right place. That's still enormously valuable — and it's where every enterprise should start.

entityOS Security Framework — Stage 1

How It Works

Three simple controls.

IP allowlisting is implemented at the network layer — typically as cloud security group rules, firewall policies, or WAF IP restrictions. No application changes required.

CONTROL 01

Security Groups

AWS Security Groups, Azure NSGs, and GCP Firewall Rules all support inbound IP restrictions at the infrastructure level. A rule denying all inbound traffic except from specific CIDRs is the foundation.

# AWS Security Group — allow only office CIDR aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 443 --cidr 203.0.113.0/24
CONTROL 02

WAF IP Rules

Web Application Firewalls (AWS WAF, Cloudflare, Azure Front Door) can enforce IP allowlists at the edge — before traffic even reaches your infrastructure. Effective for APIs and web services that run behind a CDN or load balancer.

# AWS WAF IP Set — allowlist rule Type: IP_SET Addresses: - 203.0.113.0/24 # office - 10.0.0.0/8 # internal VPC - 52.x.x.x/32 # CI/CD NAT
CONTROL 03

Private Endpoints

The strongest form of IP control: remove public endpoints entirely. AWS PrivateLink, VPC peering, and Azure Private Endpoints make a service reachable only from within designated private networks — no public IP exists to attack.

# RDS — disable public access entirely PubliclyAccessible: false VpcSecurityGroups: - sg-internal-only SubnetGroup: private-subnet-group

Scope & Fit

Know where it holds — and where it doesn't.

IP allowlisting excels in constrained, well-defined environments. It struggles when infrastructure becomes dynamic or teams become distributed. Knowing the boundary is as important as knowing the capability.

Works Well

Effective Scenarios

  • Admin APIs restricted to office or VPN IP ranges
  • CI/CD pipelines running from fixed NAT gateway IPs
  • Databases accessible only from application server subnets
  • Internal monitoring and management APIs inside a VPC
  • Webhooks from known third-party SaaS providers with fixed IPs
  • Bastion host SSH access from specific operator workstations
In these scenarios IP filtering provides strong, low-overhead, immediate protection.
Where It Breaks Down

Limitations to Know

  • Autoscaling container fleets with ephemeral, unpredictable IPs
  • Remote and distributed teams without a corporate VPN
  • Machine-to-machine services at cloud scale (thousands of callers)
  • NAT-obscured environments where many users share one IP
  • Attacker already inside an allowed network (lateral movement)
  • Services requiring fine-grained per-user or per-role access control
These scenarios require Stage 2: cryptographic identity (mTLS / X.509).

Scenario Matrix

See how Stage 1 performs across common use cases.

IP allowlisting alone — no cryptographic identity, no mTLS. Assessed against real enterprise access scenarios.

Scenario IP Allowlisting (Stage 1) Coverage Level Notes
Admin API — office only ✓ Effective Strong Office CIDR + VPN IP — static, predictable
Database — app servers only ✓ Effective Strong Private subnet, no public endpoint
CI/CD — fixed NAT gateway ✓ Effective Strong Single known IP per pipeline
Webhook from SaaS provider ✓ Effective Strong Provider publishes static IP ranges (e.g. GitHub, Stripe)
Internal API — VPC only ✓ Effective Strong PrivateLink / VPC endpoint — no public route
Remote worker API access ⚠ Partial Moderate Requires VPN with fixed egress IP — adds operational overhead
Autoscaling microservices ⚠ Limited Low CIDR block works within known subnets; per-pod not feasible
Third-party partner integration ⚠ Partial Moderate Only if partner has static egress IPs — often not the case
Lateral movement within allowed range ✗ No protection None Attacker already inside CIDR — Stage 2 (mTLS) required

Implementation

Deploy Stage 1 in five steps.

01 Audit your public surface List every service, port, and endpoint currently reachable from the public internet. Use cloud-native tools (AWS Trusted Advisor, Azure Security Centre, GCP Security Command Centre) to find unintended exposure. Discovery
02 Classify access requirements For each service, define who legitimately needs access. Group into: public (internet-facing), internal (VPC only), restricted (specific CIDRs), and private (no public endpoint). This drives the allowlist design. Design
03 Implement security group rules Apply deny-all as the default, then add explicit allow rules per CIDR. Use infrastructure-as-code (Terraform, CloudFormation) so rules are version-controlled, reviewable, and auditable. Never manage allowlists manually. Deploy
04 Remove public endpoints where possible For any service that doesn't need internet-facing access, disable the public endpoint entirely. Move to VPC-internal routing, PrivateLink, or peering. No public IP is the strongest IP allowlist. Harden
05 Establish a review and rotation process Allowlists drift. Schedule quarterly reviews. Use tagging to annotate every CIDR with its owner, purpose, and expiry. Treat stale entries as a security risk — remove them systematically. Govern

Best Practices

Rules that keep Stage 1 effective.

IP allowlisting is simple to implement but easy to mismanage. These rules keep it working as a real security control, not just a checkbox.

Rule 01

Always use Infrastructure as Code

Allowlist rules must be in Terraform, CloudFormation, or Pulumi — never managed through the console. Manual rules become stale, undocumented, and unauditable within months.

Rule 02

Tag every CIDR entry

Each allowed IP range must be annotated with: who owns it, why it's allowed, when it was added, and when it should be reviewed. Untagged entries are the most common source of allowlist sprawl.

Rule 03

Use the smallest CIDR possible

Avoid /16 or /8 ranges unless genuinely required. A /32 (single IP) is always preferable. Overly broad CIDRs defeat the purpose of the control.

Rule 04

Log all denied connections

Enable VPC Flow Logs, NSG flow logs, or WAF logging for all denied traffic. Denied connection logs are your threat intelligence feed — they show who is probing your perimeter.

Rule 05

Review allowlists quarterly

Staff leave, contractors finish, infrastructure changes. Every entry older than 90 days without a confirmed active use case should be removed. Build this into your security calendar.

Rule 06

Default deny, then allow

Security group default should be 0.0.0.0/0 DENY for all inbound traffic. Allowlists only work if the baseline is denial — partial restriction leaves gaps.

Common Mistakes to Avoid
Trusting shared IP ranges

Allowing a broad office /16 when only 5 machines need access exposes you to every other device on that network, including compromised ones.

Treating IP as identity

An allowed IP only means the packet arrived from the right place — not that the caller is authorised. Always combine with authentication for sensitive operations.

Never removing entries

Allowlists that only ever grow become meaningless. A contractor's home IP from two years ago is as dangerous as no allowlist at all.

Not alerting on denied traffic

If you're not monitoring denied connections, you have no visibility into who is probing your perimeter. Set alerts for sustained denial patterns.

The Road Ahead

Stage 1 is the perimeter.
Identity is the interior.

IP allowlisting gives you a strong outer boundary. The next stages layer cryptographic identity on top — so that even traffic from allowed networks must prove who it is.

01 Current Stage

IP Allowlisting

Restrict network reachability. Deny all by default. Allow only known, trusted source IPs and CIDRs. Eliminate public exposure for private services.

02 Next Stage

mTLS + X.509 Identity

Layer cryptographic proof of identity on top of the network boundary. Every connection requires a valid certificate. Services prove who they are, not just where they are.

Stage 1 Principle

Start with IP allowlisting for every non-public service — today, before anything else. It is fast to deploy, immediately effective, and creates the outer boundary that all subsequent security layers depend on. A service with no public endpoint cannot be directly attacked from the internet.