Skip to content
Platform

Network Restrictions

This topic explains how to configure network restrictions for your Supabase project's database. Network restrictions let you control which IP ranges can connect to Postgres and its pooler, reducing your project's exposure to unauthorized access.

Each Supabase project supports configurable restrictions on the IP ranges allowed to connect to Postgres and its pooler. These restrictions are enforced before traffic reaches your database. Connections that aren't restricted by IP still need to authenticate with valid database credentials.

If direct connections to your database resolve to an IPv6 address, add both IPv4 and IPv6 CIDRs to your allowlist. Network restrictions apply to all connection routes, whether pooled or direct. There are two exceptions: if you have an extension on the IPv6 migration, or if you have the IPv4 add-on, you only need to add IPv4 CIDRs.

Configure with the dashboard #

To configure network restrictions with the dashboard:

  1. Open your project's Database Settings page.
  2. In the Network Restrictions section, make your changes. You need Owner or Admin permissions to make changes.

Configure with the CLI #

To configure network restrictions with the CLI:

  1. Install the Supabase CLI 1.22.0+.
  2. Log in to your Supabase account.
  3. If your project was created before December 23, 2022, upgrade it to the latest Supabase version before using network restrictions.
  4. Ensure you have Owner or Admin permissions for the project.

Check restrictions#

To check your current network restrictions:

  1. Complete the steps in Configure with the CLI.

  2. Run the get subcommand to retrieve the restrictions currently in effect:

    1
    > supabase network-restrictions get --project-ref {ref} --experimental
    2
    DB Allowed IPv4 CIDRs: &[183.12.1.1/24]
    3
    DB Allowed IPv6 CIDRs: &[2001:db8:3333:4444:5555:6666:7777:8888/64]
    4
    Restrictions applied successfully: true

    If restrictions have never been applied, the allowed CIDRs list is empty and Restrictions applied successfully is false. All IPs can connect:

    1
    > supabase network-restrictions get --project-ref {ref} --experimental
    2
    DB Allowed IPv4 CIDRs: []
    3
    DB Allowed IPv6 CIDRs: []
    4
    Restrictions applied successfully: false

Update restrictions#

To update your network restrictions:

  1. Complete the steps in Configure with the CLI.

  2. Run the update subcommand with the CIDRs you want to allow:

    1
    > supabase network-restrictions update --project-ref {ref} --db-allow-cidr 183.12.1.1/24 --db-allow-cidr 2001:db8:3333:4444:5555:6666:7777:8888/64 --experimental
    2
    DB Allowed IPv4 CIDRs: &[183.12.1.1/24]
    3
    DB Allowed IPv6 CIDRs: &[2001:db8:3333:4444:5555:6666:7777:8888/64]
    4
    Restrictions applied successfully: true

    The CIDRs you provide replace any previously applied restrictions. To keep existing restrictions, include them alongside any new CIDRs in the update command.

Append a CIDR to existing restrictions#

To append a CIDR to your existing restrictions:

  1. Complete the steps in Configure with the CLI.

  2. Run the update subcommand with the --append flag to add a CIDR without replacing existing restrictions:

    1
    > supabase network-restrictions update --project-ref {ref} --db-allow-cidr 1.2.3.4/32 --append --experimental
    2
    DB Allowed IPv4 CIDRs: &[183.12.1.1/24 1.2.3.4/32]
    3
    DB Allowed IPv6 CIDRs: &[2001:db8:3333:4444:5555:6666:7777:8888/64]
    4
    Restrictions applied successfully: true

Remove restrictions#

To remove all network restrictions:

  1. Complete the steps in Configure with the CLI.

  2. Run the update subcommand with the CIDR 0.0.0.0/0 to remove all restrictions:

    1
    > supabase network-restrictions update --project-ref {ref} --db-allow-cidr 0.0.0.0/0 --db-allow-cidr ::/0 --experimental
    2
    DB Allowed IPv4 CIDRs: &[0.0.0.0/0]
    3
    DB Allowed IPv6 CIDRs: &[::/0]
    4
    Restrictions applied successfully: true

Limitations#

  • Network restrictions apply to Postgres and the database pooler. They don't apply to HTTPS APIs such as PostgREST, Storage, and Auth, or to Supabase client libraries like supabase-js.
  • With network restrictions applied, Edge functions lose direct access to the database. Use supabase-js to connect to the database from Edge Functions instead.