Allow traffic from IP addresses in allowlist only

This example skips WAF rules for requests from IP addresses in an allowlist (defined using an IP list).

1. Create an IP list with the IP addresses for which you want to allow access.
   For example, create an IP list named allowed_ips with one or more IP addresses. For more information on the accepted IP address formats, refer to IP lists.

2. Create a custom rule skipping all rules for any request from the IPs in the list you created (allowed_ips in the current example).

   • Expression: (ip.src in $allowed_ips)
   • Action: Skip:
     • All remaining custom rules
     • Skip phases:
       • All rate limiting rules
       • All Super Bot Fight Mode rules
       • All managed rules

Make sure the new rule appears before any other custom rules in the rules list.

Other resources

• Use case: Require known IP addresses in site admin area
• Available skip options