Table of Contents [expand]
Last updated March 09, 2026
Only team admins can manage trusted IP ranges for a space.
You can restrict access to Heroku Private Spaces with the Trusted IPs feature. Each space has a set of trusted IP ranges, with each range represented in CIDR block notation. For example, 192.0.2.0/24. Only clients originating from one of these trusted IP ranges can access web processes running in the space. Use trusted IP ranges to restrict traffic to apps that come from your corporate network or from a CDN service that proxies traffic for your apps. Trusted IP ranges only apply to web processes running in the space.
After creating a space, it’s configured with a default trusted IP range of 0.0.0.0/0 which admits traffic from the entire internet.
A Fir-generation space, which supports IPv6 in addition to IPv4, has an additional default trusted IP range of ::/0.
Understanding CIDR Ranges
Classless Inter-Domain Routing (CIDR) represents a range of IP addresses using a single “CIDR block.” An example CIDR block of 192.0.2.0/24 consists of:
- A starting IP address, such as
192.0.2.0 - A forward slash and a suffix length, such as
/24
The suffix length indicates the fixed number of bits in the IP address, which determines the size of the network range. The higher the suffix length, the smaller and more specific the range of IP addresses are.
For example, a /32 suffix represents a single specific IP address, such as 192.0.2.1/32. A /24 suffix represents a block of 256 addresses. If you must open your Private Space to traffic from the entire public internet, you can use the special CIDR range 0.0.0.0/0, which covers every possible IPv4 address. This range is the default setting for newly created spaces.
Large CIDR ranges, especially /16 or lower, expose your services to large blocks of the public internet and are generally unsafe. These broad ranges significantly increase your attack surface by allowing traffic from millions of potentially unknown sources. To maintain a secure environment, always use the most specific range possible, the highest suffix number, and avoid using ranges /16 or lower unless necessary for your architecture.
View and Set Trusted IP Ranges
You can’t customize trusted IP ranges in Fir-generation spaces. Subscribe to our changelog to stay informed on when we add this feature to Fir.
You can add up to 20 IP ranges per space.
With the Heroku Dashboard
In the Heroku Dashboard, open the Network tab for a space to view and add IP ranges.
With the CLI
List current trusted IP ranges for a Private Space using the CLI:
$ heroku trusted-ips --space acme-prod
=== Trusted IP Ranges
192.0.2.0/26
192.0.2.64/26
Add a new range using the CLI:
$ heroku trusted-ips:add 192.0.2.128/26 --space acme-prod
Added 192.0.2.128/26 to trusted IP ranges on acme-prod
▸ WARNING: It may take a few moments for the changes to take effect.
Trusted IP Ranges for Data Services
For Private/Shield Postgres and Kafka databases, the recommended method to allow outside access is to use mTLS instead of trusted IPs. If both mTLS and Trusted IPs are enabled on your data add-on, mTLS takes precedence over Trusted IPs. For Heroku Postgres, connections received from an IP address allowlisted for both mTLS and Trusted IPs must present a valid client certificate, following mTLS requirements.
This is a beta feature. Open a ticket at help.heroku.com to ask us to enable it for you.
Trusted IP ranges for data services are not available in Shield Private Spaces.
By default, trusted IP ranges only apply to web processes running in the space. Only dynos within the space can access data services, like Heroku Postgres, Heroku Key-Value Store, and Apache Kafka on Heroku. You can optionally choose to also allow access from trusted IP addresses to data services in the space.
Some caveats do exist for this feature:
- We ignore
0.0.0.0/0because this CIDR block exposes the database to the wider Internet. - Granular controls don’t exist. A Trusted IP can reach both web dynos and data products.