---
title: Using the IP block list
summary: null
url: >-
  https://www.fastly.com/documentation/guides/security/access-control-lists/using-the-ip-block-list
---


> **IMPORTANT:** This guide only applies to [CDN services](/guides/getting-started/services/working-with-cdn-services).

You can prevent specific IP addresses from accessing your service by adding them to a block list. Enabling this feature creates a condition and response that returns a 403 error to anyone trying to access the service from a blocked IP address. You can use this feature to prevent bad actors from interfering with the operation of your web application.

## Enabling the IP block list

To enable the IP block list, follow the steps below:

<!-- TabbedPanels component: 
<Panel id="fastly-control-panel">

1. <Partial name='step-login' inline />
1. <Partial name='step-select-service' inline />
1. <Partial name='step-click-edit' inline />
1. <Partial name='step-click-settings-tab' inline />
1. Click the **IP block list** switch to **On**.

   ![IP block list quick configuration](/img/ip-block-list-quick-config.png)

1. <Partial name='step-activate-deploy' inline />

</Panel>
<Panel id="api" label="API">

1. Open a terminal application and enter the following command to [create an ACL](/reference/api/acls/acl/#create-acl):

   ```term copy
   $ curl -i  -X POST "https://api.fastly.com/service/[service_id]/version/[service_version]/acl" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "name=Generated_by_IP_block_list"
   ```

1. Enter the following command to [create a condition](/reference/api/vcl-services/condition/#create-condition):

   ```term copy
   $ curl -i  -X POST "https://api.fastly.com/service/[service_id]/version/[service_version]/condition" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "name=Generated by IP block list&statement=client.ip ~ Generated_by_IP_block_list&type=REQUEST"
   ```

1. Enter the following command [create a response object](/reference/api/vcl-services/response-object/#create-response-object):

   ```term copy
   $ curl -i  -X POST "https://api.fastly.com/service/[service_id]/version/[service_version]/response_object" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "name=Generated by IP block list&request_condition=Generated by IP block list&content_type=text/html&response=Forbidden&status=403"
   ```

</Panel>
 -->

## Blocking an IP address

To block an IP address, follow the steps below:

<!-- TabbedPanels component: 
<Panel id="fastly-control-panel">

1. Click **Add address**.
1. In the **Address** field, enter an IP address or subnet mask (a range of IP addresses) to block for this service. To add an exception for an IP address, use an exclamation point (for example, use `!192.0.2.0` or `!192.0.2.0/24`).
1. *(Optional)* In the **Comment** field, enter a comment that describes the IP address or subnet mask.
1. Click **Add**. The IP address or subnet mask appears in the list. This addition will become effective immediately.

   ![an IP block list, complete with an IP address and a subnet mask, as it appears in the Fastly control panel](/img/ip-block-list-added-addresses.png)

</Panel>
<Panel id="api" label="API">

1. Find the ID of the IP block list ACL. Open a terminal application and enter the following command to [list the ACLs](/reference/api/acls/acl/#list-acls) on your service:

   ```term copy
   $ curl -i  "https://api.fastly.com/service/[service_id]/version/[service_version]/acl" -H "Fastly-Key:  YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

   Find the ID of the IP block list ACL in the output:

   ```json nocopy nolinenum
   [{"updated_at":"2023-11-01T20:46:51Z","version":"3","deleted_at":null,"created_at":"2023-11-01T20:46:51Z","id":"[acl_id]","service_id":"[service_id]","name":"Generated_by_IP_block_list"}]%
   ```

1. Using the ACL ID, enter the following command to block an IP address by [creating a new ACL entry](/reference/api/acls/acl-entry/#create-acl-entry):

   ```term copy
   $ curl -i  -X POST "https://api.fastly.com/service/[service_id]/acl/[acl_id]/entry" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/json" -H "Accept: application/json" -d "{\"ip\":\"192.168.1.1\"}"
   ```

</Panel>
 -->

## Editing a blocked IP address

You can edit a blocked IP address or subnet mask at any time. To edit an IP address or a subnet mask, follow the steps below:

<!-- TabbedPanels component: 
<Panel id="fastly-control-panel">

1. Find the IP block list associated with your service in which the associated IP addresses or subnet masks appear. Because these entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
1. In the IP block list area, hover your cursor over an entry, then click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> that appears.
1. Edit the IP address, subnet mask, or comment as necessary.
1. Click **Save**. The changes you make will be immediately applied to your configuration. If your IP block list has already been associated with a deployed service version, those changes will happen live.

</Panel>
<Panel id="api" label="API">

1. Find the ID of the IP block list ACL. Open a terminal application and enter the following command to [list the ACLs](/reference/api/acls/acl/#list-acls) on your service:

   ```term copy
   $ curl -i  "https://api.fastly.com/service/[service_id]/version/[service_version]/acl" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

   Find the ID of the IP block list ACL in the output:

   ```json nocopy nolinenum
   [{"updated_at":"2023-11-01T20:46:51Z","version":"3","deleted_at":null,"created_at":"2023-11-01T20:46:51Z","id":"[acl_id]","service_id":"[service_id]","name":"Generated_by_IP_block_list"}]%
   ```

1. Using the ACL ID, enter the following command to [list the ACL entries](/reference/api/acls/acl/#list-acls) on your service:

   ```term copy
   $ curl -i  "https://api.fastly.com/service/[service_id]/acl/[acl_id]/entries?direction=ascend&page=1&per_page=20&sort=created" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

   Find the ACL entry ID of the IP address you want to update in the output.

   ```json nocopy nolinenum
   [{"acl_id":"[acl_id]","negated":"0","service_id":"[service_id]","ip":"192.168.1.1","created_at":"2023-11-01T22:22:19Z","comment":"","id":"[acl_entry_id]","subnet":null,"updated_at":"2023-11-01T22:22:19Z"}]%
   ```

1. Using the ACL entry ID of the IP address you want to [update](/reference/api/acls/acl-entry/#update-acl-entry), enter the following command to update the IP address:

  ```term copy
  $ curl -i  -X PATCH "https://api.fastly.com/service/[service_id]/acl/[acl_id]/entry/[acl_entry_id]" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/json" -H "Accept: application/json" -d "{\"ip\":\"192.168.1.2\"}"
  ```

</Panel>
 -->

## Deleting an IP block list entry

You can delete individual entries in the IP block list at any time. To delete an IP address or subnet mask that was created via the Fastly control panel:

<!-- TabbedPanels component: 
<Panel id="fastly-control-panel">

1. Find the IP block list associated with your service in which the associated IP addresses or subnet masks appear. Because these entries are versionless, the service version you choose doesn't matter.
1. In the IP block list area, hover your cursor over an entry, then click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> that appears.
1. Click **Confirm and delete**.

</Panel>
<Panel id="api" label="API">

1. Find the ID of the IP block list ACL. Open a terminal application and enter the following command to [list the ACLs](/reference/api/acls/acl/#list-acls) on your service:

   ```term copy
   $ curl -i  "https://api.fastly.com/service/[service_id]/version/[service_version]/acl" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

   Find the ID of the IP block list ACL in the output:

   ```json nocopy nolinenum
   [{"updated_at":"2023-11-01T20:46:51Z","version":"3","deleted_at":null,"created_at":"2023-11-01T20:46:51Z","id":"[acl_id]","service_id":"[service_id]","name":"Generated_by_IP_block_list"}]%
   ```

1. Using the ACL ID, enter the following command to [list the ACL entries](/reference/api/acls/acl/#list-acls) on your service:

   ```term copy
   $ curl -i  "https://api.fastly.com/service/[service_id]/acl/[acl_id]/entries?direction=ascend&page=1&per_page=20&sort=created" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

   Find the ACL entry ID of the IP address you want to delete in the output.

   ```json nocopy nolinenum
   [{"acl_id":"[acl_id]","negated":"0","service_id":"[service_id]","ip":"192.168.1.1","created_at":"2023-11-01T22:22:19Z","comment":"","id":"[acl_entry_id]","subnet":null,"updated_at":"2023-11-01T22:22:19Z"}]%
   ```

1. Using the ACL entry ID of the IP address you want to [delete](/reference/api/acls/acl-entry/#delete-acl-entry), enter the following command to update the IP address:

   ```term copy
   $ curl -i  -X DELETE "https://api.fastly.com/service/[service_id]/acl/[acl_id]/entry/[acl_entry_id]"  -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Accept: application/json"
   ```

</Panel>
 -->

## Disabling the IP block list

The IP block list and its associated entries can be disabled in any unlocked service version. To disable the IP block list, follow the steps below:

<!-- TabbedPanels component: 
<Panel id="fastly-control-panel">

1. Find the IP block list associated with an unlocked version of your service.
1. Click the **IP block list** switch to **Off**.
1. Click **Yes**. This disables the block list and deletes all associated entries.
1. <Partial name='step-activate-deploy' inline />

</Panel>
 -->

## Creating other ACL types

If you need other types of ACLs, you'll need to [create them](/guides/security/access-control-lists/working-with-acls) in the Data page of the Fastly control panel.


## Related content

* [Working with ACLs](/guides/security/access-control-lists/working-with-acls)
* [API documentation for ACLs](/reference/api/acls/)