Leaked credentials are significantly more damaging than they used to be. It’s not just that attackers can gain access; it’s that automation and AI-assisted tooling allow them to test, iterate, and operate at machine speed. This makes credential misuse faster to scale and much harder to contain.
In enterprise environments, this means a single compromised credential can quickly spiral into broad, high-impact access if sign-ins are effectively allowed from anywhere.
An enterprise-standard safeguard
That’s why IP allowlisting for Anypoint Platform is now available natively within Access Management. This feature helps reduce risk by restricting platform sign-ins to trusted networks you control, ensuring that a credential alone isn’t enough to access your environment from unknown locations.
With this release, you can define an organization-wide set of trusted networks using IPv4 CIDR blocks and enforce those restrictions at the point of sign-in. When enabled, any attempt originating outside your allowlist is blocked. The feature is designed with simplicity and transparency in mind, ensuring that admin teams can seamlessly roll out IP lists to their users without disruption.
A note for integration teams: This feature is scoped strictly to the control plane (logging into Anypoint Platform). It does not apply to your runtime API traffic or affect how your consumers call your APIs. You can find more information about the IP Allowlist Policy in the documentation.
How to enable IP allowlisting
We designed this capability to be intentionally straightforward to adopt. Complexity often leads to security gaps, so we focused on a model that is easy to reason about: a single allowlist and a single enforcement switch.
To set this up, you will need to reach out to your Anypoint Organization Admin to:
- Define the IP address: In Access Management under Security Settings, define the IP CIDR blocks allowed to sign in (e.g. 192.0.2.0/24 for your office network)
- Turn on Enforcement: Switch Enforce IP restrictions for login to ON to activate the rules for all users in your organization
To prevent misconfiguration, the enforcement option is disabled by default until at least one CIDR block is configured. This failsafe ensures you cannot accidentally enable restrictions without first defining an allowlist, preventing you from locking yourself out.
Audit-ready by default
In enterprise environments, security is about proving those controls are in place and working. This release includes native audit logging for the events that matter most:
- Administrative changes: Tracking who created, updated, or deleted allowlist entries
- Sign in failures: Logging attempts blocked because the IP address was not permitted
This audit trail helps teams move faster during routine access reviews and incident response. If a user can’t sign in, the logs allow you to quickly confirm if enforcement is working as intended or if a legitimate configuration needs attention.
Get started today
This feature is available for US and EU commercial clouds with support for IPv4 addresses. For more information, see the MuleSoft documentation.
