Network Restrictions
If you can't find the Network Restrictions section at the bottom of your Database Settings, update your version of Postgres in the Infrastructure Settings.
Each Supabase project comes with configurable restrictions on the IP ranges that are allowed to connect to Postgres and its pooler ("your database"). These restrictions are enforced before traffic reaches your database. If a connection is not restricted by IP, it still needs to authenticate successfully with valid database credentials.
If direct connections to your database resolve to a IPv6 address, you need to add both IPv4 and IPv6 CIDRs to the list of allowed CIDRs. Network Restrictions will be applied to all database connection routes, whether pooled or direct. You will need to add both the IPv4 and IPv6 networks you want to allow. There are two exceptions: If you have been granted an extension on the IPv6 migration OR if you have purchased the IPv4 add-on, you need only add IPv4 CIDRs.
To get started via the Dashboard:
Network restrictions can be configured in the Database Settings page. Ensure that you have Owner or Admin permissions for the project that you are enabling network restrictions.
To get started via the Management API:
You can also manage network restrictions using the Management API:
1234567891011121314151617# Get your access token from https://supabase.com/dashboard/account/tokensexport SUPABASE_ACCESS_TOKEN="your-access-token"export PROJECT_REF="your-project-ref"# Get current network restrictionscurl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/network-restrictions" \ -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"# Update network restrictionscurl -X POST "https://api.supabase.com/v1/projects/$PROJECT_REF/network-restrictions/apply" \ -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "db_allowed_cidrs": [ "192.168.0.1/24", ] }'To get started via the CLI:
- Install the Supabase CLI 1.22.0+.
- Log in to your Supabase account using the CLI.
- If your project was created before 23rd December 2022, it will need to be upgraded to the latest Supabase version before Network Restrictions can be used.
- Ensure that you have Owner or Admin permissions for the project that you are enabling network restrictions.
Check restrictions
You can use the get subcommand of the CLI to retrieve the restrictions currently in effect.
If restrictions have been applied, the output of the get command will reflect the IP ranges allowed to connect:
1234> supabase network-restrictions --project-ref {ref} get --experimentalDB Allowed IPv4 CIDRs: &[183.12.1.1/24]DB Allowed IPv6 CIDRs: &[2001:db8:3333:4444:5555:6666:7777:8888/64]Restrictions applied successfully: trueIf restrictions have never been applied to your project, the list of allowed CIDRs will be empty, but they will also not have been applied ("Restrictions applied successfully: false"). As a result, all IPs are allowed to connect to your database:
1234> supabase network-restrictions --project-ref {ref} get --experimentalDB Allowed IPv4 CIDRs: []DB Allowed IPv6 CIDRs: []Restrictions applied successfully: falseUpdate restrictions
The update subcommand is used to apply network restrictions to your project:
1234> supabase network-restrictions --project-ref {ref} update --db-allow-cidr 183.12.1.1/24 --db-allow-cidr 2001:db8:3333:4444:5555:6666:7777:8888/64 --experimentalDB Allowed IPv4 CIDRs: &[183.12.1.1/24]DB Allowed IPv6 CIDRs: &[2001:db8:3333:4444:5555:6666:7777:8888/64]Restrictions applied successfully: trueThe restrictions specified (in the form of CIDRs) replaces any restrictions that might have been applied in the past.
To add to the existing restrictions, you must include the existing restrictions within the list of CIDRs provided to the update command.
Remove restrictions
To remove all restrictions on your project, you can use the update subcommand with the CIDR 0.0.0.0/0:
1234> supabase network-restrictions --project-ref {ref} update --db-allow-cidr 0.0.0.0/0 --db-allow-cidr ::/0 --experimentalDB Allowed IPv4 CIDRs: &[0.0.0.0/0]DB Allowed IPv6 CIDRs: &[::/0]Restrictions applied successfully: trueLimitations
- The current iteration of Network Restrictions applies to connections to Postgres and the database pooler; it doesn't currently apply to APIs offered over HTTPS (e.g., PostgREST, Storage, and Auth). This includes using Supabase client libraries like supabase-js.
- If network restrictions are enabled, direct access to your database from Edge Functions will always be blocked. Using the Supabase client library supabase-js is recommended to connect to a database with network restrictions from Edge Functions.