Many external services, like databases or corporate APIs, use IP allowlisting as a security measure, only accepting connections from pre-approved IP addresses. By default, Vercel's infrastructure uses a dynamic range of IP addresses for outbound requests from Builds and Serverless Functions, which can make allowlisting a challenge.

To solve this, Vercel offers two solutions for providing your deployments with stable, static IP addresses:

• Static IPs: The standard solution for Pro and Enterprise teams needing to connect to services that require IP allowlisting.
• Secure Compute: An advanced solution for Enterprise teams that require a fully dedicated Virtual Private Cloud (VPC) for complete network isolation.

The best choice depends on your team's security, compliance, and networking requirements. For most use cases involving IP allowlisting, the Static IPs feature is the recommended solution.

The Static IPs feature routes all outbound traffic from your Serverless Functions and build processes (if toggled on) through a consistent, shared pair of static IP addresses for a given region. This is the simplest way to get a stable IP address for allowlisting with your backend services.

• Shared Infrastructure: Your project uses a Vercel-managed VPC that is shared with a small group of other customers.
• Logical Isolation: Subnet-level isolation is used to maintain security between customers within the same VPC.
• Regional IPs: You enable Static IPs for specific regions. Each region you select will have its own unique pair of static IPs.
• Broad Application: The static IPs apply to both Serverless Functions and traffic generated during your project's build step.

Note: Static IPs do not apply to traffic from Middleware, as it runs on Vercel's Edge Network.

You can enable Static IPs directly from your dashboard:

1. Navigate to your Team or Project settings and click on the Connectivity tab.
2. Select the project and the desired region(s) for your backend services.
3. Once enabled, Vercel will provide the static IP addresses for that region.
4. Add these IP addresses to the allowlist of your external service (e.g., your database provider).

For a complete walkthrough, see the Static IPs documentation.

Secure Compute is Vercel's most advanced networking solution, designed for enterprises with stringent security and compliance needs. This feature places your project's Builds and Serverless Functions within a dedicated, private network with a unique pair of IP addresses that are not shared with any other customer.

Choose Secure Compute if your organization requires:

• Complete network isolation in a dedicated Virtual Private Cloud (VPC).
• The ability to establish private connections to other cloud infrastructure using VPC Peering.
• The highest level of security and control over your deployment's network environment.

When you enable Secure Compute for a project, Vercel provisions a private network exclusively for your deployments in a chosen region. This provides a dedicated IP pair that you can use to securely connect to your backend infrastructure. Unlike Static IPs, this network is not shared, offering complete isolation. This feature affects Serverless Functions and build traffic, but not Edge Functions.

Configuring Secure Compute is a straightforward process that gives you granular control over your deployment's network.

Note: Secure Compute is an add-on for Enterprise teams. To get started, please reach out to Vercel.

Once the feature is enabled for your team, you can provision your first private network through the Vercel dashboard.

• Navigate to your Team settings and click on the Connectivity tab.
• Request a new private network. You will need to select a Serverless Function region for it. For the best performance, choose a region that is physically close to your backend services (e.g., your database).
• Once created, Vercel will display the dedicated IP address pair for this network.

After provisioning the network, you must associate it with a project.

• In the Connectivity settings, select the project you want to secure.
• Connect the private network to your project's environments (Production, Preview, and Development). Outbound traffic from Serverless Functions and build processes in that project will now route through your dedicated IPs.

With your project's traffic now coming from a predictable, dedicated IP pair, you can lock down access to your backend services.

• Copy the dedicated IP pair from your private network settings on Vercel.
• Add these IPs to the access control list (ACL) or firewall rules of your backend infrastructure (e.g., your database, private API, etc.).
• For maximum security, always use this IP allowlist in combination with other authentication methods, such as a username and password or an authentication key.

Secure Compute offers flexibility for managing network connections across your organization:

• Shared Network: A single private network can be connected to multiple projects, allowing them to share the same dedicated IP pair. This is useful for simplifying the management of your allowlists.
• Isolated Networks: For heightened security or larger teams, you can assign a unique private network to each project. This ensures every project has its own dedicated IP pair.
• Multi-Region Deployments: If your Serverless Functions are deployed in multiple regions, you can create a private network in each of those regions, ensuring you have a distinct IP pair for each one.

For organizations with the most rigorous security and compliance requirements, such as connecting to a private network in AWS or another cloud, Vercel supports VPC Peering. If dedicated IP addresses aren't sufficient for your use case, reach out to our team to discuss your specific needs.

Vercel provides powerful and flexible options for securing connections from your deployments.

• For most teams on Pro and Enterprise plans, Static IPs offer a straightforward and cost-effective solution for IP allowlisting.
• For enterprises with advanced security and isolation requirements, Secure Compute provides a dedicated, fully-isolated network environment.