Many businesses have a known set of IP addresses that define where acceptable and expected network traffic should come from. This ranges from physical office locations, to network services like a VPN or proxy server. Starting today, IP allow lists are available in public beta for GitHub Enterprise Cloud customers. This feature allows you to limit access to enterprise assets to an allowed set of source IPs.
By combining IP allow lists with known physical devices, a business can confidently remove any risk that user credentials, like personal access tokens, are being executed from anywhere but an approved location.
IP allow lists provide the ability to filter traffic from specified IP ranges, defined by CIDR notation. The allow list is defined at the enterprise or organization account level in Security > Settings. All traffic that attempts to reach private resources within the enterprise account are filtered by the IP allow list.
Any navigation to resources protected by an IP allow list—whether by web, search, api, or command line git access—will be filtered by the list, including through:
- Username and password with GitHub authentication or SAML SSO
- Personal access tokens
- SSH keys
All user credentials, including those belonging to administrators, are subject to IP allow list checks. IP allow lists are not enforced on traffic directed to public repositories.
IP allow lists defined at the enterprise level are enforced on all organizations that belong to that enterprise account. Each organization may also enable their own IP allow lists that build on the lists that are inherited from the enterprise. This is especially useful when you need to create access pathways for contractors that don’t have the ability to work in the same physical location or access a corporate VPN.
How to provide feedback
We’d love to hear your thoughts on IP allow lists throughout the public beta period. Share your comments with us through our product feedback contact form. Be sure to select “Teams, organizations, or Enterprise accounts” where our product team will be watching for items related to this feature.