HTTP triggers and custom domain names in Function Compute do not natively support IP-based access control. To restrict or allow traffic by IP address, use one of the following approaches.
Choose an approach
| Approach | When to use |
|---|---|
| Web Application Firewall (WAF) | You need broad web security protection beyond IP filtering, or you are already using WAF for other rules. |
| API Gateway IP access control plug-in | Your function is exposed through API Gateway and you need per-API IP filtering without additional infrastructure. |
| In-code filtering | You need lightweight, custom logic without enabling additional services, or you want to combine IP filtering with other request attributes. |
Use WAF
To set up WAF for your function, see Enable WAF protection. To configure IP-based rules after WAF is enabled, see Protection rules.
Use API Gateway
If your function is accessed through API Gateway, use the IP address-based access control plug-in to define a blocklist or allowlist per API.
For configuration steps, see IP address-based access control plug-in.
Filter by IP address in code
To implement filtering without WAF or API Gateway, retrieve request headers in your function code, obtain the client IP address from the request headers, and apply custom logic to implement IP blacklisting and whitelisting.