IPs allowlist for the login and admin urls of Keycloak deployments can be configured through the Cloud IAM dashboard and API.

Cloud-IAM has two types of IPs alllowlist
OpenID APIs endpoints: these urls are related with the end-user (Cloud-IAM customer's own customers) endpoints for login, sign up, forgot password and the underneath REST APIs required to get authenticated and generate JWT access tokens
Keycloak REST Admin endpoints: these urls are related with the Keycloak administration console and Keycloak admin REST API endpoints.

The entries of the allowlists are either a single IP address or in CIDR format. They are checked sequentially until a match is found. If no rule matches, the allow directive is applied.

Each time an allowlist is updated through the API or the dashboard, a zero downtime re-deployment is triggered to apply the new settings.

By default allowlist are configured to allow any ip to connect. Cloud-IAM team recommends to configure both allowlists accordingly to your security requirements.

Example of allowlists configuration
Was this article helpful?
Cancel
Thank you!