Trusted IP Ranges for Private Spaces
Last updated November 15, 2024
This article is a work in progress, or documents a feature that is not yet released to all users. This article is unlisted. Only those with the link can access it.
Table of Contents
Only team admins can manage trusted IP ranges for a Private Space.
Each Private Space has a set of trusted IP ranges, with each range represented in CIDR block notation. For example, 192.0.2.0/24. Only clients originating from one of these trusted IP ranges can access web processes running in the Private Space. Use trusted IP ranges to restrict traffic to apps that come from your corporate network or from a CDN service that proxies traffic for your apps. Trusted IP ranges only apply to web processes running in the space.
After creating a space, it’s configured with a default trusted IP range of 0.0.0.0/0 which admits traffic from the entire internet.
Trusted IP ranges only restrict access to applications in a space. They don’t control from which source IP ranges you can execute CLI commands or connect to the Heroku Dashboard.
View and Set Trusted IP Ranges
You can add up to 20 IP ranges per space.
To open up a Private Space to traffic from the whole Internet, the default for newly created spaces, add the CIDR range 0.0.0.0/0.
With the Heroku Dashboard
In the Heroku Dashboard, open the Network tab for a space to view and add IP ranges.
With the CLI
List current trusted IP ranges for a Private Space using the CLI:
$ heroku trusted-ips --space acme-prod
=== Trusted IP Ranges
192.0.2.0/26
192.0.2.64/26
Add a new range using the CLI:
$ heroku trusted-ips:add 192.0.2.128/26 --space acme-prod
Added 192.0.2.128/26 to trusted IP ranges on acme-prod
▸ WARNING: It may take a few moments for the changes to take effect.
Trusted IP Ranges for Data Services
For Private/Shield Postgres and Kafka databases, the recommended method to allow outside access is to use mTLS instead of trusted IPs. If both mTLS and Trusted IPs are enabled on your data add-on, mTLS takes precedence over Trusted IPs. For Heroku Postgres, connections received from an IP address allowlisted for both mTLS and Trusted IPs must present a valid client certificate, following mTLS requirements.
This is a beta feature. Open a ticket at help.heroku.com to ask us to enable it for you.
Trusted IP ranges for data services are not available in Shield Private Spaces.
By default, trusted IP ranges only apply to web processes running in the space. Only dynos within the space can access data services, like Heroku Postgres, Heroku Key-Value Store, and Apache Kafka on Heroku. You can optionally choose to also allow access from trusted IP addresses to data services in the space.
Some caveats do exist for this feature:
- We ignore
0.0.0.0/0because this CIDR block exposes the database to the wider Internet. - Granular controls don’t exist. A Trusted IP can reach both web dynos and data products.