Due to the nature of the Vercel infrastructure, all outbound function requests come from a range of highly dynamic IP addresses and a fixed IP range cannot be given.
For Pro customers, a range cannot be defined and you must allow all internet traffic. If you wish to restrict access, we recommend using complex passwords and/or a custom header on your outbound requests that can be verified by your backend and set to reject traffic that doesn't contain this header.
For Enterprise customers with the Vercel Secure Compute feature, you can establish private connections between Serverless Functions and backend clouds such as databases and private infrastructure.
This guide will provide you with steps to allowlist IP addresses for a deployment using Vercel Secure Compute.
When using Vercel, by default, you have to expose your backend cloud to all IP addresses to allow your deployment to connect. However, such an approach might not align with strict security and compliance rules. This is where Secure Compute comes in. When enabled, it places your deployments in a private network with dedicated IP addresses.
To enable Vercel Secure Compute for a project:
- Vercel positions your project's build container and deployment in a private network.
- This network will have a specific dedicated IP address pair.
- You can optionally exclude the build container from this private network.
- Secure Compute provides private networks with automatically assigned IP pairs, accessible through the Vercel Dashboard.
- On requesting access, Vercel creates one private network in a chosen Serverless Function region.
- Multiple private networks can be created within the same team by making requests through the Dashboard.
- The Secure Compute feature affects Serverless Functions only. Edge Functions do not utilize these dedicated IPs.
Each private network is deployed within a specific Serverless Function region. We recommend to pick a region for the private network that aligns with the location of your backend cloud to ensure optimal performance.
After obtaining your dedicated IP pair:
- Utilize the IP pair to set up an access control list for your backend infrastructure.
- Besides IP-based authentication, ensure the use of additional authentication methods like user/password or an authentication key.
Within a team:
- Connect a private network with the environment of your Project's deployment, i.e., Serverless Functions and Incremental Static Regeneration (ISR).
- A single private network can be used across multiple projects, sharing the same IP pair.
- For heightened security or larger teams, assign one private network to each project. This way, every project has a unique dedicated IP pair.
- If deploying Serverless Functions in multiple regions, use multiple private networks, ensuring distinct IP pairs per region.
- Allocate various IPs to different types of projects for enhanced security and management.
For those with rigorous security and compliance requirements, Vercel can provide guidance tailored to specific needs. Reach out if dedicated IP addresses aren't sufficient for your case.
Leveraging Vercel Secure Compute ensures enhanced privacy and security for your Vercel deployments. It allows you to maintain a private connection between your Serverless Functions and backend infrastructure, significantly reducing potential risks.