Restrict Access for Incoming Requests

Last modified: November 7, 2025

Introduction

Your app is accessible over the internet, but you may not want unrestricted access. Use access restrictions to apply fine-grained control over access to your application.

You can apply access restrictions at different URL levels, such as:

Top level of the application URL (/)
Specific paths (such as /ws/ or /odata/). This allows you to, for example, open up web services without giving general users access to the app itself.

Presets are available to simplify common requirements, such as allowing or denying all access. In addition, custom profiles can be created using IP range filters and client certificate authorities (CAs).

Access Restriction Profiles

You can specify multiple access restriction profiles for your application, each with a descriptive name that reflects its purpose.

To view or manage access restriction profiles, follow these steps:

From Apps, go to your app's Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.

When configuring an access restriction profile, keep the following considerations in mind:

Access restriction profiles are configured at the application level. They can be reused in all the environments (for example test, acceptance, production) of an app.
Access restriction profiles can contain any number of IPv4 address ranges, client CAs, or both.
If an access restriction profile contains both IP address ranges and client CAs, then any match on either the IP range or the client certificate will grant or deny access.

Configuring Access Restriction Profiles

To configure access restriction profiles, from the Access Restriction Profiles page, you can either:

Create a new profile by clicking New Profile
Modify an existing profile by selecting the profile:
- Click the More Options ( ) icon
- Click the Edit option to modify the profile
- Click Delete to delete an existing certificate profile
- Click Clone to copy and duplicate an existing certificate profile

When you create or edit a profile, you can add IP ranges and certificate profiles as described below.

Changing the Profile Name

To rename an access restriction profile. follow these steps:

Locate the profile of interest from the Access Restriction Profiles page.
Click the More Options ( ) icon.
Click Edit.
In the edit page enter the new Profile Name.
Click Save to apply your changes.

Specifying TLS Client Certificate Verification

Click Create New Profile to create a new TLS certificate profile, or select an existing profile and click Edit. If you are creating a new certificate profile, you will first be asked to enter the name of your profile.

Upload your CA from a file in PEM format by clicking Add Certificate. This will open a page where you can choose to either browse your device for the file, or manually paste PEM-formatted CA content.

Your CA must contain a single root certificate and can have multiple intermediate certificates. It should not contain client certificates.

Once the CA is uploaded, you will see a tree containing the root certificate and any intermediate certificates included in the CA. When you upload a CA, the last certificate in the CA will be selected by default.

Select the checkbox next to each intermediate or root certificate you want to use. Client certificates will be accepted if they are signed by any selected certificate. If you select more than one certificate in a branch, the client certificate will be accepted if it is signed by any of the selected certificates.

If you do not select any certificates, then all the certificates are valid.

Click Save to save the current certificate profile.

Your CA for TLS client certificate verification should be different from the CA used to sign the SSL certificate configured for any custom domain of the app. Using the same CA for both can result in browsers requesting client certificates on all paths of your application.

Configuring Allowed IP Ranges

You can define IP profiles to specify which IP addresses or ranges are explicitly allowed to access your application.

To manage these profiles:

In the IP Filtering Profiles section, click Create New Profile to add a new IP range
To modify an existing profile, select it and click Edit( )
To delete a profile, select it and click Delete( )

For each profile, specify the following details:

Profile Name: Enter a descriptive name for the IP range
IPv4/IPv6 range: Enter the specific IP address range. Mendix Cloud supports both IPv4 and IPv6 formats

Requests originating from an IP address within these allowed profiles will be granted access to your application.

Applying Access Restriction to an Application Environment

To apply access restrictions to a specific application environment, follow these steps:

From Apps, go to the app's Environments page.
Click Details ( ) on the desired environment.
Go to the Network tab.
Navigate to the Path Based Access Restrictions section to apply access restrictions to a single environment.

The top-level path (/) restricts access to the entire application
The settings for specific paths override the implicitly inherited profile for the top level
Besides being able to apply a customized access restriction profile, there are also presets available for simply allowing or denying all access

Default Settings

These are the default settings:

When deploying a deployment package to an environment using the Deploy or Transport functionality, paths representing known functionality in the Mendix version that is used are automatically added to the list of paths
All paths ending in -doc have a preset Deny all access profile set by default
All the remaining paths have no restriction applied by default

IP Restriction Profiles

IP restriction profiles allow you to deny access to your application from specific IP addresses or IP ranges. You can configure multiple profiles, each with a descriptive name that clearly reflects its purpose.

To view or manage IP restriction profiles, follow these steps:

From Apps, go to your app's Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the IP Restriction Profiles tab.

When configuring an IP restriction profile, keep the following considerations in mind:

IP restriction profiles are configured at the application level. They can be reused in all the environments (for example test, acceptance, production) of an app.
IP restriction profiles can contain any number of IPv4 or IPv6 address ranges

Configuring IP Restriction Profiles

To configure IP restriction profiles, from the IP Restriction Profiles page, you can either:

Create a new profile by clicking New Profile
Modify an existing profile by selecting the profile:
- Click the More Options ( ) icon
- Click the Edit option to modify the profile
- Click Delete to delete an existing certificate profile
- Click Clone to copy and duplicate an existing certificate profile

When you create or edit a profile, you can add IP ranges as described below.

Configuring Denied IP Ranges

You can define IP profiles to specify which IP addresses or ranges are explicitly denied access to your application.

To manage these profiles:

Click Create New Profile to add a new IP range
To modify an existing profile, select it and click Edit( )
To delete a profile, select it and click Delete( )

For each profile, specify the following details:

Profile Name: Enter a descriptive name for the IP range
IPv4/IPv6 range: Enter the specific IP address range. Mendix Cloud supports both IPv4 and IPv6 formats

Requests originating from an IP address within these denied profiles will be blocked from accessing your application.

Applying IP Restriction to an Application Environment

To apply IP restrictions to a specific application environment, follow these steps:

From Apps, go to the app's Environments page.
Click Details ( ) on the desired environment.
Go to the Network tab.
Navigate to the IP Access Restrictions section to apply access restrictions to a single environment.

Following the migration from Cloud Foundry to Kubernetes, access rule violations are now logged in the Access Log instead of the App Log. For more details on logs, refer to the Apps Deployed to Mendix Cloud section of Logs.

Use Cases

Two scenarios in which you can use access restrictions are described below.

Example Scenario 1 – Restricting Access Based on an IP Range

Consider this example scenario in which a basic IP range restriction could be used: You have an app running in Mendix Cloud that is only to be accessed from a single office. The interactive web browser interface of the app should only be accessible to employees in the office of the company running the app. From the rest of the internet, the login screen of the application should not even be visible.

To restrict access to the app to an IP range, follow these steps:

From Apps, go to the app's Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.
Create an access restriction profile.
Add one or more IP ranges to the Denied IP Profiles.
Save the access restriction profile.
Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.
Switch to the Network tab.
Select the top-level path (/) and click Edit.

Any path below this path that does not have an explicit restriction will inherit this access restriction profile.
Select Custom Profile for Client Certificates and/or IP ranges as the New Restriction Type.
Select your access restriction profile as the New Restriction Profile, and save it.

Example Scenario 2 – Back-End Administration with Third-Party Web Service Integrations

This second scenario is an extended version of the first scenario.

The app that was protected with the IP range restriction now starts to provide web service integrations that will be called by third parties. Because an IP range restriction is in place, the web service endpoints are not reachable by external parties.

By adding an additional access restriction profile and applying it to only the /ws/ path, you can specifically grant access to the web service endpoints.

Additionally, the company has decided to use TLS client certificates so they do not have to manage lists of IP ranges for each external third party.

To add this additional access restriction profile, follow these steps:

From Apps, go to the app's Environments page.
Click Cloud Settings ( ) from any of the available tabs to open the Manage Cloud Settings page.
Switch to the Access Restriction Profiles tab.
Create a new access restriction profile.
Upload the certificate of the internal CA that is used to sign the client certificates.
Save the new access restriction profile.
Go to the Deploy tab of the Environments page. Click Details ( ) on the desired environment.
Switch to the Network tab.
Edit the /ws/ path of the environment to apply the new access restriction profile. This overrides the default profile (for the top level /) for the selected path (/ws/).

If the /ws/ path should still be reachable from the office location without using a client certificate, add the IP ranges of the office location to the profile used for /ws/.