IP Filtering (CIDR)

Overview

Horizon provides IP-based access control that enables definition of rules specifying which source IP addresses are allowed or blocked from accessing a circuit. These rules are defined using CIDR (Classless Inter-Domain Routing) notation, which provides a compact way to specify ranges of IP addresses. IP rules are evaluated at the Horizon proxy layer, meaning blocked requests never reach the backend service - they are stopped at the proxy and logged as blocked. IP filtering operates as an independent security layer alongside (not instead of) access policies, country blocking, and bot detection. A request must pass all configured layers to be forwarded to the backend.

CIDR Notation

CIDR (Classless Inter-Domain Routing) notation is a standard way of expressing a range of IP addresses in a compact format. A CIDR block consists of an IP address followed by a forward slash and a prefix length, for example 192.168.1.0/24. The prefix length indicates how many bits of the IP address are fixed (the network portion), and the remaining bits can vary (the host portion). The shorter the prefix length, the larger the range of addresses covered. For example, 192.168.1.0/24 means "all addresses where the first 24 bits match 192.168.1," which covers all 256 addresses from 192.168.1.0 to 192.168.1.255. A /16 prefix like 10.0.0.0/16 covers 65,536 addresses (the entire 10.0.x.x range), an /8 prefix like 10.0.0.0/8 covers approximately 16.7 million addresses (the entire 10.x.x.x range), and a /32 prefix like 203.0.113.45/32 specifies exactly one IP address. When entering IP rules in Horizon, either the full CIDR notation (e.g., 192.168.1.0/24) or a plain IP address without a prefix length (e.g., 192.168.1.45) can be used; the latter is treated as a /32 (single address).

IP Blacklisting

IP blacklisting blocks requests from specific IP addresses or ranges. When a blacklist rule is active, any request whose source IP falls within the specified CIDR range is blocked at the proxy and never reaches the backend service. This is useful for blocking known malicious IP addresses that have been identified in request logs, blocking entire network ranges belonging to organizations or ISPs that should not have access, and responding to ongoing attacks or abuse by immediately cutting off the offending source. To add a blacklist rule, navigate to the circuit's settings panel, open the IP Blacklisting section, enter the IP address or CIDR range in the input field, and click Add. The rule is displayed as a tag with a remove button, and takes effect immediately. Multiple blacklist rules can be added, and they are all evaluated independently - a request is blocked if it matches any single blacklist rule.

IP Whitelisting

IP whitelisting is the inverse of blacklisting and provides a much more restrictive access model. When any whitelist rule exists on a circuit, the behavior changes fundamentally: only requests whose source IP matches at least one whitelist rule are allowed through. All other IPs are blocked, regardless of whether they match a blacklist rule or not. This effectively creates an "allow only these IPs" model, which is the strongest form of network-level access control. Whitelisting is ideal for scenarios where the exact set of IP addresses or ranges that should have access is known - for example, restricting access to a corporate office network, a known VPN exit IP range, or a specific set of partner or vendor IP addresses. The management interface for whitelisting is identical to blacklisting: enter the CIDR range, click Add, and the rule appears as a removable tag. If all whitelist rules are subsequently removed, the circuit reverts to the default behavior of allowing all IPs (subject to blacklist rules and other security layers).

INFO

For details on how blacklist and allowlist rules interact and the order in which they are evaluated, see Rule Evaluation.

Validation

The input field for IP rules validates entries against the IPv4 format. Valid entries are in the form X.X.X.X (a single IP address, treated as /32) or X.X.X.X/Y (a CIDR range, where X is 0–255 and Y is 0–32). Invalid entries - such as non-numeric characters, octets greater than 255, prefix lengths greater than 32, or malformed formats - are rejected with an inline error message, and the rule is not added.

TIP

IP whitelisting is the most restrictive and therefore most secure network-level control. If the exact IPs that will access a circuit are known (e.g., an office network at 203.0.113.0/24), a whitelist provides strong security even when combined with a Public access policy, because only traffic from those specific IPs is allowed through, regardless of who sends it.