> ## Documentation Index
> Fetch the complete documentation index at: https://docs.langdock.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP Restrictions

> Restrict workspace access by IP address using CIDR allowlists to enhance your organization's security posture.

## Overview

IP restrictions allow workspace administrators to control which IP addresses can access Langdock. By configuring a CIDR allowlist, you can ensure that only users connecting from approved network locations (such as your corporate network or VPN) can access your workspace.

When IP restrictions are enabled, users attempting to access Langdock from an IP address not on the allowlist will be blocked from logging in or using the platform.

## Prerequisites

Before configuring IP restrictions, ensure you have:

<Warning>
  * Admin access to your Langdock workspace
  * Knowledge of your organization's IP addresses or CIDR ranges
  * A plan for maintaining access (e.g., VPN access or backup admin account)
</Warning>

## Understanding CIDR Notation

CIDR (Classless Inter-Domain Routing) notation is used to specify IP address ranges. The format is `IP_ADDRESS/PREFIX_LENGTH`.

**Examples:**

* `192.168.1.0/24` - Allows all IPs from 192.168.1.0 to 192.168.1.255 (256 addresses)
* `10.0.0.0/8` - Allows all IPs from 10.0.0.0 to 10.255.255.255 (large corporate network)
* `203.0.113.50/32` - Allows only the single IP 203.0.113.50

For IPv6 addresses:

* `2001:db8::/32` - Allows a range of IPv6 addresses
* `2001:db8::1/128` - Allows only a single IPv6 address

<Tip>
  The prefix length for IPv4 ranges from 0-32, and for IPv6 from 0-128. A smaller prefix number means more IP addresses are included in the range.
</Tip>

## Adding IP Ranges

To add IP ranges to your allowlist:

1. Navigate to [Security Settings](https://app.langdock.com/settings/workspace/security) in your workspace
2. Scroll to the **IP Restrictions** section
3. Click **Add IP Range**
4. In the dialog that appears, enter a valid CIDR range (e.g., `192.168.1.0/24`)
5. Click **Add** to save the range

<Info>
  Your current IP address is displayed in the dialog. You can click **Add my IP** to quickly add your current IP address to the allowlist. This is useful for ensuring you don't lock yourself out.
</Info>

### Adding Your Current IP

When adding IP ranges, the dialog shows your current IP address. You can click the **Add my IP** button to automatically add your current IP as a single-host CIDR entry (e.g., `203.0.113.50/32` for IPv4 or with `/128` for IPv6).

## Managing Restrictions

### Enabling IP Restrictions

IP restrictions can only be enabled after you have added at least one IP range to the allowlist.

1. Add at least one IP range to your allowlist
2. Toggle the **IP Restrictions** switch to enable
3. Confirm the action in the dialog that appears

<Warning>
  When enabling IP restrictions, a confirmation dialog warns you that users outside the allowed IP ranges will be immediately blocked. Make sure your current IP is on the allowlist before enabling.
</Warning>

### Disabling IP Restrictions

To disable IP restrictions and allow access from any IP:

1. Toggle the **IP Restrictions** switch to disable
2. Confirm the action in the dialog

Disabling IP restrictions will immediately allow users to access the workspace from any IP address.

### Removing IP Ranges

To remove an IP range from your allowlist:

1. Find the IP range in the list
2. Click the delete button next to the range
3. Confirm the deletion

<Note>
  If you remove the last IP range while restrictions are enabled, IP restrictions will be automatically disabled.
</Note>

## Testing Your Configuration

Before enabling IP restrictions for all users, verify your setup:

1. **Check your current IP**: In the Add IP Range dialog, verify your current IP address is displayed correctly
2. **Add your IP first**: Always add your own IP range before enabling restrictions
3. **Test in another browser**: After enabling, try accessing Langdock from a different network (e.g., mobile data) to confirm blocking works
4. **Verify VPN access**: If your organization uses VPN, confirm the VPN exit IP is on the allowlist

<Tip>
  Keep a backup admin account with access from a known IP range, or ensure you have VPN access that falls within an allowed range.
</Tip>

## Best Practices

### Network Planning

* **Include all office locations**: Add CIDR ranges for all physical office networks
* **VPN considerations**: Add your corporate VPN exit IP addresses
* **Remote work**: Consider whether remote employees need VPN access or if you need broader IP ranges
* **Cloud services**: If employees access Langdock from cloud-based virtual desktops, include those IP ranges

### Security Recommendations

* Use the most restrictive ranges possible while still accommodating legitimate users
* Regularly audit your IP allowlist to remove outdated ranges
* Combine IP restrictions with other security measures like SAML SSO
* Document your IP ranges and their purposes for future reference

### Maintaining Access

* Always ensure at least one admin has access from an allowed IP
* Consider maintaining a VPN fallback for emergency access
* Test changes in a controlled manner before applying broadly

## Troubleshooting

### Locked Out of Your Workspace

If you're blocked from accessing Langdock due to IP restrictions:

1. **Use VPN**: Connect to your corporate VPN and try again
2. **Change networks**: Access from an approved network location (e.g., your office)
3. **Contact another admin**: Ask a workspace admin with access to add your IP or disable restrictions temporarily
4. **Contact support**: Reach out to [support@langdock.com](mailto:support@langdock.com) for assistance

### Common Issues

**"IP range already exists"**
The CIDR range you're trying to add is already in the allowlist. Check your existing ranges.

**"Invalid CIDR format"**
Ensure your entry follows the format `IP_ADDRESS/PREFIX_LENGTH`. For example:

* Correct: `192.168.1.0/24`
* Incorrect: `192.168.1.0` (missing prefix)
* Incorrect: `192.168.1.0/33` (invalid prefix for IPv4)

**Users still blocked after adding their IP**

* Verify the correct IP was added (users behind NAT may have a different public IP)
* Ensure IP restrictions are enabled
* Check that the CIDR range actually covers the user's IP address

## Need Help?

If you encounter any issues with IP restrictions, reach out to [support@langdock.com](mailto:support@langdock.com) for assistance.