To prevent unauthorized access from unapproved regions or devices, enable an IP allowlist to block user access based on source IP.
Note
This security control should be considered an additional layer in your defense-in-depth strategy. It should not be considered a primary defense.
To enable this feature, you must contact your Alteryx representative.
Enabling the feature may take one or two business days. Once enabled, new settings will be made available to your account.
Consult your network administrator to obtain the list of source IPs that your users will use when accessing Alteryx.
For workspaces that have not been configured for a private or dedicated data plane:
Navigate to Allowlist the IP Address Range of the Alteryx Service.
Copy and note the Data Plane IP Addresses for your region. You will use these later.
Warning
Do not include your region’s Control Plane IP Addresses. This could result in unintended access to your account.
For workspaces configured to use a Dedicated Data Plane (PDP) managed by Alteryx:
Navigate to your workspace’s Admin Console > Private Data Handling > Processing page.
Copy and note the list of Gateway IP Addresses. You will use these later.
For workspaces configured to use Private Data Plane (DDP) managed by your organization:
Consult your network administrator to obtain the NAT (Network Address Translation) IPs for the Azure/GCP/AWS account supporting your Alteryx workspace. You will use these later.
Note
If two or more data planes support the workspaces under your account, you should capture the IPs used by each data plane.
Navigate to your account’s Admin Console > Settings page.
Edit the Restrict Access by IP Range setting.
Within the Whitelisted IPs field, enter a comma separated list of your organization’s source IPs and data plane IPs.
Select Save.
Note
You cannot update the Whitelisted IP field if the list does not include your own source IP. This helps ensure at least one user from your organization can access Alteryx once enabled.
Inputs are validated before the setting is persisted:
Only IPv4 is accepted.
Only RFC4632-compliant ranges are accepted.
Zero or more IPs and ranges can be entered, separated by a comma.
A range can be a single IP.
Whitespace is not accepted.
Example valid inputs:
198.51.2.0198.51.2.0/24,198.51.5.0/4
Once the feature has been enabled and configured, if the user’s browser sessions or API calls come from a source IP that does not match the IPs and/or CIDR ranges registered, authentication will fail and access will be blocked. This change is enforced across the account, including any and all workspaces under the account.
To disable this feature, contact your Alteryx representative.
Disabling the feature may take one or two business days. Once disabled, source IP will no longer be evaluated when authenticating a user’s browser or API access.