Vercel's infrastructure uses a range of dynamic IP addresses.
- Hobby and Pro customers can restrict access to their deployments through Deployment Protection and Firewall custom rules.
- Pro customers with the Static IPs add-on enabled will have outgoing connections between Vercel Functions and backend infrastructure established through a known set of IPs.
- Enterprise customers with Vercel Secure Compute can establish private connections between Vercel Functions and backend infrastructure such as databases.
This guide will show how to allowlist IP addresses for a deployment using Vercel Secure Compute.
Vercel Secure Compute gives you the ability to restrict connections between your backend infrastructure and your Vercel deployments. This might be necessary for teams with more strict security and compliance rules. Secure Compute places your builds and deployments in an isolated, private network with dedicated IP addresses.
Vercel Static IPs will allow your Vercel Functions to access backend services that require IP allowlisting through static egress IPs.
First, go to the pricing section of our documentation to understand how much this feature would cost if you decide to enable it. To enable Vercel Static IPs for a project:
- Go to your Project Dashboard
- Navigate to Project Settings
- Click the Connectivity section
- Click Manage Active Regions
- Pick a region close to your backend services to keep latency down. You can pick up to 3 regions
- Your project gets assigned static IPs within a shared VPC for each configured region
A static IP will be shown to you that you must copy and add to your backend infrastructure as an allowed source of traffic. A fixed IP alone does not guarantee security, and it is still recommended to use authentication methods such as user and password pairs, public and private key pairs, or other methods to fully secure your resources.
To enable Vercel Secure Compute for a project:
- Vercel places your project's build infrastructure and deployment in a private network
- This network will have a specific dedicated IP address pair
- You can optionally exclude the build container from this private network
- Secure Compute provides private networks with automatically assigned IP pairs, accessible through the Vercel Dashboard
- On requesting access, Vercel creates one private network in a chosen Vercel Function region
- Multiple private networks can be created within the same team by making requests through the Dashboard
- The Secure Compute feature affects Vercel Functions using the Node.js runtime only
Each private network is deployed within a specific Vercel Function region. We recommend to pick a region for the private network that aligns with the location of your backend cloud to ensure optimal performance.
After obtaining your dedicated IP pair:
- Utilize the IP pair to set up an access control list for your backend infrastructure.
- Besides IP-based authentication, ensure the use of additional authentication methods like user/password or an authentication key.
Within a team:
- Connect a private network with the environment of your Project's deployment, i.e., Vercel Functions and Incremental Static Regeneration (ISR)
- A single private network can be used across multiple projects, sharing the same IP pair
- For heightened security or larger teams, assign one private network to each project. This way, every project has a unique dedicated IP pair
- If deploying Vercel Functions in multiple regions, use multiple private networks, ensuring distinct IP pairs per region
- Allocate various IPs to different types of projects for enhanced security and management
For those with rigorous security and compliance requirements, Vercel can provide guidance tailored to specific needs. Reach out if dedicated IP addresses aren't sufficient for your case.
Leveraging Vercel Secure Compute ensures enhanced privacy and security for your Vercel deployments. It allows you to maintain a private connection between your Serverless Functions and backend infrastructure, significantly reducing potential risks.