Allow IP ranges that can access your environment

  • 3min
  • Published Jul 01, 2023

Latest Dynatrace

With environment IP allowlisting, Dynatrace provides you with fine-tuned control over external access to your environments.

IP address allowlisting restricts access to your environment to specific IP addresses that you consider acceptable.

This includes access to the latest Dynatrace web UI and the API. With this configuration, you can significantly restrict the threat actor from direct access to your Dynatrace environment.

Blocked and allowed resources

If a user's IP is not contained in the IP allowlist, they're effectively blocked from accessing and using the latest Dynatrace web UI and API.

The IP allowlist feature does not block the following:

  • Access to the previous Dynatrace web UI and APIs

  • Data ingest traffic of ActiveGates and OneAgents

  • Dynatrace IP addresses for support purposes

  • Outbound connections to allowlisted hosts in External requests for functions running in the Dynatrace JavaScript runtime. This includes functions run by Dynatrace Apps (for example, Workflow Connectors that need access to integrated resources) and custom JavaScript code you can run in Dashboards, Notebooks, or Workflows.

    External requests enable outbound network connections from your Dynatrace environment to external services. They allow you to control access to public endpoints from the AppEngine with app functions and functions in Dashboards, Notebooks, and Automations.

    1. Go to Settings and select General > Environment management, External Requests.

    2. Select New host pattern.

    3. Add the domain names.

    4. Select Add.

    This way you can granularly control the web services your functions can connect to.

CIDR notation

Dynatrace employs the IPv4 Classless Inter-Domain Routing (CIDR) system, as defined in RFC 4632, to specify which IP ranges can access your Dynatrace environment. This system pairs an IPv4 address with a subnet mask to define a range of allowable IP addresses.

For example, the CIDR notation 192.168.0.128/28 encompasses a block of 16 IP addresses, starting from 192.168.0.129 and ending at 192.168.0.142.

IPv6

IPv6 CIDR notation isn't currently supported.

Who is this for?

The guide is intended for the Dynatrace and network administrators who are tasked to limit external access to their Dynatrace environments to well-known and accepted CIDR ranges.

Add the CIDR range to the allowlist

  1. In Account Management, go to Settings > Environments
  2. In the row for the environment for which you want to configure the allowlist, select > Edit environment.
  3. Select IP allowlist tab.
  4. Select CIDR range to start creating your allowlist.
  5. You can create 50 ranges per environment.
    • Give your range a friendly name so that other administrators can recognize it.
    • Add the CIDR range. Based on your input, Account Management will calculate the count of allowed IP addresses and list the first and last usable IPs.
    • Select Save.
  6. Go back to the IP allowlist page. You need at least one CIDR range to enable IP allowlisting.

Dynatrace verifies your configuration to make sure that Dynatrace IP addresses aren't affected by your configuration.

Manage IP allowlisting using API

The Dynatrace Account Management API provides you with the endpoints that let you manage and create IP allowlists at scale.

View IP allowlist configuration

View IP allowlist configuration for a specific environment.

Set IP allowlist configuration

Set IP allowlist configuration for a specific environment.