The aws:workspacesweb/ipAccessSettings:IpAccessSettings resource, part of the Pulumi AWS provider, defines IP access controls for WorkSpaces Web portals, specifying which network ranges can connect. This guide focuses on two capabilities: configuring single and multiple IP range restrictions, and adding customer-managed KMS encryption.
IP access settings are associated with WorkSpaces Web portals after creation. The examples are intentionally small. Combine them with your own portal resources and network architecture.
Restrict portal access to a single IP range
Most deployments start by limiting access to a single corporate network, ensuring only users on the company network can reach the portal.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
ipRules: [{
ipRange: "10.0.0.0/16",
}],
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
ip_rules=[{
"ip_range": "10.0.0.0/16",
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new IpAccessSettings("example", IpAccessSettingsArgs.builder()
.displayName("example")
.ipRules(IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:IpAccessSettings
properties:
displayName: example
ipRules:
- ipRange: 10.0.0.0/16
When associated with a portal, the ipRules property blocks connections from addresses outside the specified range. The ipRange uses CIDR notation to define the allowed network block. The displayName identifies the settings resource in the AWS console.
Allow access from multiple office locations
Companies with distributed offices permit access from multiple network ranges, each representing a different location.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
description: "Example IP access settings",
ipRules: [
{
ipRange: "10.0.0.0/16",
description: "Main office",
},
{
ipRange: "192.168.0.0/24",
description: "Branch office",
},
],
});
import pulumi
import pulumi_aws as aws
example = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
description="Example IP access settings",
ip_rules=[
{
"ip_range": "10.0.0.0/16",
"description": "Main office",
},
{
"ip_range": "192.168.0.0/24",
"description": "Branch office",
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
Description: pulumi.String("Example IP access settings"),
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
Description: pulumi.String("Main office"),
},
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("192.168.0.0/24"),
Description: pulumi.String("Branch office"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
Description = "Example IP access settings",
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
Description = "Main office",
},
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "192.168.0.0/24",
Description = "Branch office",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new IpAccessSettings("example", IpAccessSettingsArgs.builder()
.displayName("example")
.description("Example IP access settings")
.ipRules(
IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.description("Main office")
.build(),
IpAccessSettingsIpRuleArgs.builder()
.ipRange("192.168.0.0/24")
.description("Branch office")
.build())
.build());
}
}
resources:
example:
type: aws:workspacesweb:IpAccessSettings
properties:
displayName: example
description: Example IP access settings
ipRules:
- ipRange: 10.0.0.0/16
description: Main office
- ipRange: 192.168.0.0/24
description: Branch office
Each entry in ipRules defines a separate allowed range. The description field documents which office or VPN endpoint each rule represents, making it easier to audit and maintain access policies as your network topology changes.
Encrypt settings with customer-managed KMS keys
Regulated environments require customer-managed encryption keys for compliance, allowing control over key rotation and access policies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "KMS key for WorkSpaces Web IP Access Settings",
deletionWindowInDays: 7,
});
const exampleIpAccessSettings = new aws.workspacesweb.IpAccessSettings("example", {
displayName: "example",
description: "Example IP access settings",
customerManagedKey: example.arn,
additionalEncryptionContext: {
Environment: "Production",
},
ipRules: [
{
ipRange: "10.0.0.0/16",
description: "Main office",
},
{
ipRange: "192.168.0.0/24",
description: "Branch office",
},
],
tags: {
Name: "example-ip-access-settings",
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="KMS key for WorkSpaces Web IP Access Settings",
deletion_window_in_days=7)
example_ip_access_settings = aws.workspacesweb.IpAccessSettings("example",
display_name="example",
description="Example IP access settings",
customer_managed_key=example.arn,
additional_encryption_context={
"Environment": "Production",
},
ip_rules=[
{
"ip_range": "10.0.0.0/16",
"description": "Main office",
},
{
"ip_range": "192.168.0.0/24",
"description": "Branch office",
},
],
tags={
"Name": "example-ip-access-settings",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/workspacesweb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("KMS key for WorkSpaces Web IP Access Settings"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = workspacesweb.NewIpAccessSettings(ctx, "example", &workspacesweb.IpAccessSettingsArgs{
DisplayName: pulumi.String("example"),
Description: pulumi.String("Example IP access settings"),
CustomerManagedKey: example.Arn,
AdditionalEncryptionContext: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
IpRules: workspacesweb.IpAccessSettingsIpRuleArray{
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("10.0.0.0/16"),
Description: pulumi.String("Main office"),
},
&workspacesweb.IpAccessSettingsIpRuleArgs{
IpRange: pulumi.String("192.168.0.0/24"),
Description: pulumi.String("Branch office"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-ip-access-settings"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "KMS key for WorkSpaces Web IP Access Settings",
DeletionWindowInDays = 7,
});
var exampleIpAccessSettings = new Aws.WorkSpacesWeb.IpAccessSettings("example", new()
{
DisplayName = "example",
Description = "Example IP access settings",
CustomerManagedKey = example.Arn,
AdditionalEncryptionContext =
{
{ "Environment", "Production" },
},
IpRules = new[]
{
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "10.0.0.0/16",
Description = "Main office",
},
new Aws.WorkSpacesWeb.Inputs.IpAccessSettingsIpRuleArgs
{
IpRange = "192.168.0.0/24",
Description = "Branch office",
},
},
Tags =
{
{ "Name", "example-ip-access-settings" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.workspacesweb.IpAccessSettings;
import com.pulumi.aws.workspacesweb.IpAccessSettingsArgs;
import com.pulumi.aws.workspacesweb.inputs.IpAccessSettingsIpRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("KMS key for WorkSpaces Web IP Access Settings")
.deletionWindowInDays(7)
.build());
var exampleIpAccessSettings = new IpAccessSettings("exampleIpAccessSettings", IpAccessSettingsArgs.builder()
.displayName("example")
.description("Example IP access settings")
.customerManagedKey(example.arn())
.additionalEncryptionContext(Map.of("Environment", "Production"))
.ipRules(
IpAccessSettingsIpRuleArgs.builder()
.ipRange("10.0.0.0/16")
.description("Main office")
.build(),
IpAccessSettingsIpRuleArgs.builder()
.ipRange("192.168.0.0/24")
.description("Branch office")
.build())
.tags(Map.of("Name", "example-ip-access-settings"))
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: KMS key for WorkSpaces Web IP Access Settings
deletionWindowInDays: 7
exampleIpAccessSettings:
type: aws:workspacesweb:IpAccessSettings
name: example
properties:
displayName: example
description: Example IP access settings
customerManagedKey: ${example.arn}
additionalEncryptionContext:
Environment: Production
ipRules:
- ipRange: 10.0.0.0/16
description: Main office
- ipRange: 192.168.0.0/24
description: Branch office
tags:
Name: example-ip-access-settings
The customerManagedKey property references a KMS key ARN that encrypts the IP access settings data. The additionalEncryptionContext adds key-value pairs to the encryption context, providing additional audit trail information. You must grant WorkSpaces Web permissions to use the KMS key.
Beyond these examples
These snippets focus on specific IP access settings features: IP range restrictions and customer-managed encryption. They’re intentionally minimal rather than complete portal deployments.
The examples assume pre-existing infrastructure such as a WorkSpaces Web portal for association. They focus on configuring access controls rather than provisioning the entire portal environment.
To keep things focused, common patterns are omitted, including:
- Portal association (associatedPortalArns is output-only)
- IP rule validation and CIDR notation requirements
- Regional deployment considerations
These omissions are intentional: the goal is to illustrate how IP access settings are wired, not provide drop-in portal modules. See the WorkSpaces Web IP Access Settings resource reference for all available configuration options.
Let's configure AWS WorkSpaces Web IP Access Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
IP Rules & Access Control
What do IP Access Settings control?
IP Access Settings control which IP addresses users can connect from when accessing WorkSpaces Web portals.
How do I specify allowed IP addresses?
Use the
ipRules property with IP ranges in CIDR notation, such as 10.0.0.0/16 or 192.168.0.0/24.Can I allow multiple IP ranges?
Yes,
ipRules accepts an array of IP rules. Each rule can have its own ipRange and optional description for documentation.Security & Integration
How do I encrypt IP access settings with KMS?
Specify
customerManagedKey with your KMS key ARN. You can optionally include additionalEncryptionContext for extra encryption metadata.How can I see which web portals use these settings?
Check the
associatedPortalArns output property, which lists all web portal ARNs currently using these IP access settings.