DocumentationRelease Notes
Log In
Documentation

IP allow list

Suggest Edits

BeyondTrust provides additional security controls with an IP Allow List. Administrators can specify which IP addresses are allowed to access your Password Safe Cloud instance using IP rules. If anyone attempts to access the instance from an IP address that is not within the list of allowed addresses, they will not be able to reach the host.

Changes made to IP rules in the IP Allow List do not take effect until the IP rule is set to active and changes are saved using the Save IP Allow List button below the grid.

⚠️

Important

When configuring IP rules, it is important to start by adding the IP address you are currently using to the allow list, and then add IP addresses for all the resource brokers in your environment. Warning messages and informational text are shown to encourage you to add your own IP Address to the list first, to avoid a situation where you lose access to your instance.

If IP address changes are made in your network that cause you to lose access to your instance, BeyondTrust Cloud Operations can reset your IP Allow List.

The below sections detail how to add, enable, disable, edit, or delete IP rules.

Add IP rule

Add an IP rule to the IP Allow List, as follows:

  1. Go to Configuration > System > IP Allow List.
  2. Click Add IP Rule.
  3. Select rule Type from the dropdown list:
    • CIDR Notation: This allows access from any IP addresses within a CIDR block identified using Classless Inter-Domain Routing (CIDR) notation.
    • Single IP Address: This allows access from a single IP address.
    • IP Range: This allows access from any IP address within the range.
  4. Enter information for the rule.
  5. Check the Active box to enable the rule.
  6. Click Add To List.
  7. Click Save IP Allow List at the bottom of the grid to save changes.

Enable the IP Allow List

Setting an IP rule to Active ensures that any IP outside of the rule cannot access the Password Safe Cloud instance. However, the rule does not take effect until the Turn on network restrictions global setting is enabled. This setting is disabled by default for all customers to prevent you from being locked out of your instance.

ℹ️

Note

Users editing the IP Allow List and Resource Broker IPs must be added before restrictions are enabled. Resource Broker IPs are located on the Resource Broker Grid, which can be found at the bottom of the BeyondInsight console home page. If the Resource Broker IPs are located behind a VPN or NAT gateway, IP rules must be added accordingly to cover the necessary address space.

Enable the Turn on network restrictions setting, as follows:

  1. From the IP Allow List page, click the toggle to enable the Turn on network restrictions setting.
  2. Click Save IP Allow List to save changes.

Activate and deactivate IP rules

IP rules can be activated upon creation. They can also be activated and deactivated using actions in the IP Allow List grid, as follows:

  1. Check the box next to the IP rule. If the IP rule is active, the Deactivate button appears above the grid. If the IP rule is inactive, the Activate button appears.
  2. Click the Activate/Deactivate button to change the Status of the IP rule.
    • Alternatively, you can click the vertical ellipsis button for the rule and select Activate/Deactivate.
  3. Click Save IP Allow List to save changes.

Edit and delete IP rules

You can edit an IP rule, as follows:

  1. Click the vertical ellipsis for the rule and select Edit IP Rule.
  2. Edit the rule, and then click Save Changes.
  3. Click Save IP Allow List to save changes.

You can delete the IP rule, as follows:

  1. Check the box next to the IP rule to select it.
  2. Click the delete icon above the grid.
    • Alternatively, you can click the vertical ellipsis button for the rule and select Remove IP Rule.
  3. A message displays, asking you to confirm your action. Click Remove to continue or Cancel to keep the IP rule.

Restrictions

Network security groups contain rules and restrictions for allowing the flow of network traffic to and from different Azure resources. Restrictions that you should be aware of are, as follows:

  • A unique name within the network security group. The name can be up to 80 characters long. It must begin with a word character, and it must end with a word character or with '_'. The name may contain word characters or '.', '-', '_'.
  • Description maximum length 140
  • IPv4 range maximum number of addresses 1500
  • RestrictedAddress - Error message displayed: "Restricted IP address, see documentation for more details."

ℹ️

Note

For more information, please see Microsft Azure Network Security Rules.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.