IP Restrictions

Owned by Elias Brattli Sørensen
Last updated: Jun 28, 2021
2 min read

IP restrictions only support IPv4 addresses.

IP restrictions limit the use of features to a subset of IP addresses on the network. Typical use cases for configuring IP restrictions is to limit access to the local network, exclude devices known not to support a feature, or restrict which IP addresses should be allowed to communicate with your Atlassian application.

IP restrictions are currently available for Kerberos, Kerberos for REST, and API Tokens.

Restriction modes

The restriction modes are used to specify how to restrict access based on the unblocked list and blocked list. The possible modes are No restriction, Allow, and Deny.

No restriction DEFAULT

No restriction based on IP addresses.

Allow

Only IP addresses specified in the unblocked list are enabled. If an address matches both lists, the blocked list takes precedence. As such, you can specify IP ranges in the unblocked list and override specific IP addresses with the blocked list.

Deny

All IP addresses are enabled except those specified in the blocked list. If an address matches both lists, the unblocked list takes precedence. As such, you can specify IP ranges in the blocked list and override specific IP addresses with the unblocked list.

IP address matching syntax

When adding IP addresses to the unblocked and blocked list, you can use a combination of full Ip addresses, IP address prefixes, and regular expressions.

Full IP addresses

Use the full IP address to target a specific device.

192.168.1.1

IP address prefix

Use IP address prefix to target a range of IP addresses. This syntax targets all IP addresses starting with the given prefix. The prefix must end with a dot / punctiation mark: '.'.

192.168.1.

CIDR address

Use CIDR address prefix to target a range of IP addresses.

192.168.1.0/24

Regular expressions

If you need even more control when targeting IP addresses, you can create your own matching rules using regular expressions.

 

NOTE: For Kantega Single Sign-on to evaluate IP restrictions correctly when behind a reverse proxy, the IP address must be communicated to the Atlassian application. See the yellow notification box in the below screenshot, which tells you the IP currently “seen” by the application.