The aws:workspacesweb/ipAccessSettings:IpAccessSettings resource, part of the Pulumi AWS provider, defines IP-based access restrictions for WorkSpaces Web portals, controlling which network addresses can connect. This guide focuses on two capabilities: single and multi-location IP filtering, and customer-managed encryption for compliance.
IP access settings must be associated with a WorkSpaces Web portal to take effect. The examples are intentionally small. Combine them with your own portal resources and network architecture.
Restrict portal access to a single IP range
Most deployments start by limiting access to a single corporate network, ensuring only users on the company network can reach the portal.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
ipRules: [{
ipRange: "10.0.0.0/16",
}],
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
ip_rules=[{
"ip_range": "10.0.0.0/16",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new IpAccessSettings("example", IpAccessSettingsArgs.builder()
.displayName("example")
.ipRules(IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:IpAccessSettings
properties:
displayName: example
ipRules:
- ipRange: 10.0.0.0/16
When associated with a portal, the ipRules property blocks connections from addresses outside the specified range. The ipRange uses CIDR notation to define the allowed network block. Without additional rules, only traffic from 10.0.0.0/16 can access the portal.
Allow access from multiple office locations
Companies with distributed offices permit access from multiple network ranges, each representing a different location.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
description: "Example IP access settings",
ipRules: [
{
ipRange: "10.0.0.0/16",
description: "Main office",
},
{
ipRange: "192.168.0.0/24",
description: "Branch office",
},
],
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
description="Example IP access settings",
ip_rules=[
{
"ip_range": "10.0.0.0/16",
"description": "Main office",
},
{
"ip_range": "192.168.0.0/24",
"description": "Branch office",
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
Description: pulumi.String("Example IP access settings"),
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
Description: pulumi.String("Main office"),
},
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("192.168.0.0/24"),
Description: pulumi.String("Branch office"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
Description = "Example IP access settings",
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
Description = "Main office",
},
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "192.168.0.0/24",
Description = "Branch office",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new IpAccessSettings("example", IpAccessSettingsArgs.builder()
.displayName("example")
.description("Example IP access settings")
.ipRules(
IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.description("Main office")
.build(),
IpAccessSettingsIpRuleArgs.builder()
.ipRange("192.168.0.0/24")
.description("Branch office")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:IpAccessSettings
properties:
displayName: example
description: Example IP access settings
ipRules:
- ipRange: 10.0.0.0/16
description: Main office
- ipRange: 192.168.0.0/24
description: Branch office
Each entry in ipRules defines a separate allowed range. The description property labels each rule for operational clarity, helping teams identify which office or VPN endpoint each range represents. All specified ranges are allowed; users from any listed network can connect.
Encrypt settings with customer-managed KMS keys
Regulated environments require customer-managed encryption keys for data at rest, with additional encryption context for audit trails.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "KMS key for WorkSpaces Web IP Access Settings",
deletionWindowInDays: 7,
});
const exampleIpAccessSettings = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
description: "Example IP access settings",
customerManagedKey: example.arn,
additionalEncryptionContext: {
Environment: "Production",
},
ipRules: [
{
ipRange: "10.0.0.0/16",
description: "Main office",
},
{
ipRange: "192.168.0.0/24",
description: "Branch office",
},
],
tags: {
Name: "example-ip-access-settings",
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="KMS key for WorkSpaces Web IP Access Settings",
deletion_window_in_days=7)
example_ip_access_settings = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
description="Example IP access settings",
customer_managed_key=example.arn,
additional_encryption_context={
"Environment": "Production",
},
ip_rules=[
{
"ip_range": "10.0.0.0/16",
"description": "Main office",
},
{
"ip_range": "192.168.0.0/24",
"description": "Branch office",
},
],
tags={
"Name": "example-ip-access-settings",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("KMS key for WorkSpaces Web IP Access Settings"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
Description: pulumi.String("Example IP access settings"),
CustomerManagedKey: example.Arn,
AdditionalEncryptionContext: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
Description: pulumi.String("Main office"),
},
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("192.168.0.0/24"),
Description: pulumi.String("Branch office"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-ip-access-settings"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "KMS key for WorkSpaces Web IP Access Settings",
DeletionWindowInDays = 7,
});
var exampleIpAccessSettings = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
Description = "Example IP access settings",
CustomerManagedKey = example.Arn,
AdditionalEncryptionContext =
{
{ "Environment", "Production" },
},
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
Description = "Main office",
},
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "192.168.0.0/24",
Description = "Branch office",
},
},
Tags =
{
{ "Name", "example-ip-access-settings" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("KMS key for WorkSpaces Web IP Access Settings")
.deletionWindowInDays(7)
.build());
var exampleIpAccessSettings = new IpAccessSettings("exampleIpAccessSettings", IpAccessSettingsArgs.builder()
.displayName("example")
.description("Example IP access settings")
.customerManagedKey(example.arn())
.additionalEncryptionContext(Map.of("Environment", "Production"))
.ipRules(
IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.description("Main office")
.build(),
IpAccessSettingsIpRuleArgs.builder()
.ipRange("192.168.0.0/24")
.description("Branch office")
.build())
.tags(Map.of("Name", "example-ip-access-settings"))
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: KMS key for WorkSpaces Web IP Access Settings
deletionWindowInDays: 7
exampleIpAccessSettings:
type: aws:workspacesweb:IpAccessSettings
name: example
properties:
displayName: example
description: Example IP access settings
customerManagedKey: ${example.arn}
additionalEncryptionContext:
Environment: Production
ipRules:
- ipRange: 10.0.0.0/16
description: Main office
- ipRange: 192.168.0.0/24
description: Branch office
tags:
Name: example-ip-access-settings
The customerManagedKey property references a KMS key ARN for encrypting the IP access settings data. The additionalEncryptionContext property adds key-value pairs to the encryption context, which appear in CloudTrail logs and can be used for access control policies. This configuration builds on multi-location access control by adding encryption and organizational tags.
Beyond these examples
These snippets focus on specific IP access settings features: IP range-based access control and customer-managed encryption. They’re intentionally minimal rather than full portal deployments.
The examples may reference pre-existing infrastructure such as WorkSpaces Web portals for association. They focus on configuring access restrictions rather than provisioning the complete portal environment.
To keep things focused, common access control patterns are omitted, including:
- Portal association (ipAccessSettingsArn must be linked to portal separately)
- IP rule validation and CIDR notation requirements
- Access logging and monitoring integration
These omissions are intentional: the goal is to illustrate how IP access settings are wired, not provide drop-in portal modules. See the WorkSpaces Web IP Access Settings resource reference for all available configuration options.
Let's configure AWS WorkSpaces Web IP Access Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
What does IP Access Settings control?
IP Access Settings control which IP addresses users can connect from when accessing a WorkSpaces Web portal.
What's required to create IP access settings?
Only
displayName is required. You’ll typically also want to configure ipRules to specify allowed IP ranges.How do I allow access from multiple IP ranges?
Add multiple entries to the
ipRules array, each with its own ipRange and optional description.What format should I use for IP ranges?
Use CIDR notation (e.g.,
10.0.0.0/16 or 192.168.0.0/24) for the ipRange field in each IP rule.Encryption & Security
Can I encrypt IP access settings data?
Yes, specify
customerManagedKey with a KMS key ARN. You can also provide additionalEncryptionContext for extra encryption metadata.Portal Associations
How do I see which portals are using my IP access settings?
Check the
associatedPortalArns output property, which lists all web portal ARNs associated with these settings.