Restrict Access for Incoming Requests

Last modified: July 1, 2025

Introduction

Your app is accessible over the internet, but you may not want unrestricted access. Use access restrictions to apply fine-grained control over access to your application.

You can apply access restrictions at different URL levels, such as:

Top level of the application URL (/)
Specific paths (such as /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself.

Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and client certificate authorities (CAs).

Access Restriction Profiles

You can specify multiple access restriction profiles for your application, each with a descriptive name that reflects its purpose.

To view or manage access restriction profiles, follow these steps:

From Apps, go to your app’s Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.

When configuring an access restriction profile, keep the following considerations in mind:

Access restriction profiles are configured at the application level. They can be reused in all the environments (test, acceptance, production) of an app.
Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both.
If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant access.

Configuring Access Restriction Profiles

To configure access restriction profiles, from the Access Restriction Profiles page, you can either:

Create a new profile by clicking New Profile
Modify an existing profile by selecting the profile:
- Click the More Options ( ) icon
- Click the Edit option to modify the profile
- Click Delete to delete an existing certificate profile
- Click Clone to copy and duplicate an existing certificate profile

When you create or edit a profile, you can add IP ranges and certificate profiles as described below.

Changing the Profile Name

To rename an access restriction profile. follow these steps:

Locate the profile of interest from the Access Restriction Profiles page.
Click the More Options ( ) icon.
Click Edit.
In the edit page enter the new name.
Click Save to apply your changes.

Specifying TLS Client Certificate Verification

Click Create New Profile to create a new TLS certificate profile, or select an existing profile and click Edit. If you are creating a new certificate profile, you will first be asked to enter the name of your profile.

Upload your CA from a file in PEM format by clicking Add Certificate. This will open a page where you can choose to either browse your device for the file, or manually paste PEM-formatted CA content.

Your CA must contain a single root certificate and can have multiple intermediate certificates. It should not contain client certificates.

Once the CA is uploaded, you will see a tree containing the root certificate and any intermediate certificates included in the CA. When you upload a CA, the last certificate in the CA will be selected by default.

Select the checkbox next to each intermediate or root certificate you want to use. Client certificates will be accepted if they are signed by any selected certificate. If you select more than one certificate in a branch, the client certificate will be accepted if it is signed by any of the selected certificates.

If you do not select any certificates, then all the certificates are valid.

Click Save to save the current certificate profile.

Your CA for TLS client certificate verification should be different from the CA used to sign the SSL certificate configured for any custom domain of the app. Using the same CA for both can result in browsers requesting client certificates on all paths of your application.

Specifying IP Ranges

You can specify a number of different IP ranges. Click Create New Profile to add a new IP range, or use Edit or Delete to modify an existing IP range.

For each IP range, you can do the following:

Enter a Profile Name
Specify a range of addresses. Mendix Cloud supports both IPv4 and IPv6 format addresses.

Applying a Restriction to an Application Environment

To apply a restriction to a specific application environment, follow these steps:

From Apps, go to the app’s Environments page.
Click Details ( ) on the desired environment.
Go to the Network tab.
The Path Based Access Restrictions section allows for applying access restrictions to a single environment.

The top-level path (/) restricts access to the entire application
The settings for specific paths override the implicitly inherited profile for the top level
Besides being able to apply a customized access restriction profile, there are also presets available for simply allowing or denying all access

Default Settings

These are the default settings:

When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used are automatically added to the list of paths
All paths ending in -doc have a preset Deny all access profile set by default
All the remaining paths have no restriction applied by default

Use Cases for Access Restrictions

Two scenarios in which you can use access restrictions are described below.

Example Scenario 1 – Restricting Access Based on an IP Range

Consider this example scenario in which a basic IP range restriction could be used: You have an app running in Mendix Cloud that is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.

To restrict access to the app to an IP range, follow these steps:

From Apps, go to the app’s Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.
Create an access restriction profile.
Add one or more IP ranges to the access restriction profile.
Save the access restriction profile.
Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.
Switch to the Network tab.
Select the top-level path (/) and click Edit.

Any path below this path that does not have an explicit restriction will inherit this access restriction profile.
Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.
Select your access restriction profile as the New Restriction Profile, and save it.

Example Scenario 2 – Back-End Administration with Third-Party Web Service Integrations

This second scenario is an extended version of the first scenario.

The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third parties. Because an IP range restriction is in place, the web service endpoints are not reachable by external parties.

By adding an additional access restriction profile and applying it to only the /ws/ path, you can specifically grant access to the web service endpoints.

Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.

To add this additional access restriction profile, follow these steps:

From Apps, go to the app’s Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.
Create a new access restriction profile.
Upload the certificate of the internal CA that is used to sign the client certificates.
Save the new access restriction profile.
Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.
Switch to the Network tab.
Edit the /ws/ path of the environment to apply the new access restriction profile. This overrides the default profile (for the top level /) for the selected path (/ws/).

If the /ws/ path should still be reachable from the office location without using a client certificate, add the IP ranges of the office location to the profile used for /ws/.