Restrict Logins to certain IP ranges

For security reasons we would like to be able to restrict the user login to Retool to specific IP addresses/ranges.

1 Like

Hey @moritz! Andrew from Retool.

We allow that with our on-premise version! Since you host it you can restrict access to users inside of your network or any custom limitations you want to put in place. Here are some instructions on how to set it up on AWS.

1 Like

Hi @ajspencer. I am fully aware that this is something we could do with the on-premise version. However, as you probably agree, the on-premise version is not the right fit for each of your clients, especially as it comes at a much higher price than your cloud versions. Security however is relevant for all of your clients and I would imagine that the implementation of an IP restriction per client on the software layer shall be fairly simple.

1 Like

This is critical feature for hosted solution as well. Is there any update on this after March 2021 ? Is this feature available?

Hey @Madhukar_Bangar!

At the moment the way to restrict access to specific IPs is still to use a self-hosted instance of Retool though the team is looking to make that a more accessible option!

Any update on when this will be available for the Cloud version? I see this as a critical feature for any SaaS product that deals with PII and other sensitive customer data. It should not be restricted to the more expensive on-premise version.

Hey @_David!

One of the features of the more recent pricing change in Retool was the offering of a Business tier for self-hosted instances so pricing for the on-premise version should now match the Cloud version, so hopefully that's not restrictive anymore.

Setting up and managing your own infrastructure to run Retool on does come with its own costs though and I can certainly imagine how you might still want a Cloud hosted org with that as a requirement. We have brought the request to the dev team and can report back here if support is added for Cloud-hosted instances as well!

Thanks Kabirdas for the quick response and for taking up the issue internally.

We also would like to limit the connections by IP on the cloud version. Was there any progress made on this ?

hey @Benoit_Bouchard thanks for asking. There hasn't been movement on implementing the ability to restrict logins to certain IP addresses on Cloud. As mentioned in some of the above comments, we're still more likely to recommend people move to a self-hosted Retool instance if they desire this sort of control. Would self-hosting work for you/your team? Here are a few docs/resources for more info:

Still, if you'd like I can pass along another +1 to our product and eng team to represent your interest in this being exposed on the Cloud version of Retool!

1 Like

@kbn Hello,
We wanted the cloud version in order to avoid having to manage another server. The whole idea on using retool is to eliminate the overhead of having to code and host ourself a system. That feature would really increase the security and would be more than something "nice to have".

so for on premise i should have a firewall to block ip to retool?

Hey @agaitan026! Yes, a firewall would allow you to restrict IP access to your self hosted Retool instance. Using security group rules etc, to control which IPs you allow traffic from should be the easiest way to implement the control you are looking for. Here's some documentation from AWS on how they recommend setting this up: ​Block or allow specific IPs on an EC2 instance | AWS re:Post If you aren't hosted on AWS, the concepts should still the same.

+1 on this request. Our company requires a whitelist block our cloud instance from being publicly accessible and only whitelist specific company vpn IPs

+1, it does make sense that a tool (even cloud based) which is geared primarily towards internal tooling would support an inherent way to block "external" traffic that comes outside of the IP ranges of the "internal" users/systems.

Thanks @chukwumaokere and @JosephAmato for adding your request here and thoughts on why this would be useful. :wave:

For anyone visiting this thread, our official stance at this time is still to

recommend people move to a self-hosted Retool instance if they desire this sort of control. Would self-hosting work for you/your team? Here are a few docs/resources for more info:
-toggle self-host to see plan options: Retool pricing

as Kayla commented above.

That being said, I still encourage anyone interested to add a :heavy_plus_sign: or comment to raise visibility to any request they support. We're always monitoring the forum and advocating on your behalf! :female_detective:

Don't forget to set up alerts for topics you have not commented on, but would still like to get notifications for! :bell: