## IP Allowlisting

You may enable IP Allowlisting for your organization to restrict access to only a specified list of IP addresses.

If IP Allowlisting is enabled, only calls made to the Rockset service originating from an IP address specified in the IP Allowlist of your organization will be accepted. All requests originating from unrecognized IP address will be rejected with a **HTTP 403 Forbidden** error code. This includes access to the [Rockset Console](🔗), all API operations, and SQL query endpoints.

Administrators of organizations with IP Allowlisting enabled can configure network policies in the form of an IP access list. IP addresses may be specified as individual IPs at the account level, or as a range of IPs in [CIDR](🔗) notation.

By default, all organizations are set to the **No IP Allowlist** setting, meaning that accesses originating from any IP address are allowed. You can enable IP Allowlisting and configure your network policies in the [Settings tab in the Rockset Console](🔗). This is only available to users with the **Administrator** role.

## AWS PrivateLink

You can restrict access to your organization by only allowing connections to Rockset over [AWS PrivateLink](🔗). AWS PrivateLink enables you to connect to Rockset without exposing your traffic to the public internet.

If AWS PrivateLink is enabled for an organization in a region, only calls over AWS PrivateLink or from hosts in your IP Allowlist will be accepted for that region. All other requests will be rejected with a HTTP 403 Forbidden status code. This applies to accessing the Rockset Console and all API endpoints, including query endpoints.

This feature is not enabled by default. To request AWS PrivateLink connectivity, please contact [Rockset Customer Support](🔗).

### AWS PrivateLink Architecture & Configuration

See our AWS PrivateLink [Architecture & Configuration](🔗) page to see how what the overall Rockset PrivateLink architecture looks like, and how to configure and setup PrivateLink for your organization.