About network traffic restrictions
By default, authorized users can access your enterprise's resources from any IP address. You can restrict access to your enterprise's private resources by configuring a list that allows or denies access from specific IP addresses. For example, you can allow access to the private resources exclusively from the IP address of your office network.
After you configure an IP allow list, the list determines whether users can access protected resources through the web UI, APIs, or Git, using any of the following authentication methods:
- Username and password, using GitHub authentication or SAML SSO
- Personal access token
- SSH key
The IP allow list applies to users with any role or access, including enterprise and organization owners, repository administrators, and external collaborators.
If your enterprise uses Enterprise Managed Users with Microsoft Entra ID (previously known as Azure AD) and OIDC, you can choose whether to use GitHub's IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use Enterprise Managed Users with Azure and OIDC, you can use GitHub's allow list feature.
Which resources are protected?
IP allow lists do restrict access to:
- Organization-owned repositories
- Private and internal repositories
- Public resources, when a user is signed into GitHub
- Raw URLs for files in repositories, such as
https://raw.githubusercontent.com/octo-org/octo-repo/main/README.md?token=ABC10001
IP allow lists do not restrict access to:
- Repositories, including forks, owned by managed user accounts
- Public resources, when accessed anonymously
- GitHub Copilot features that do not require directly fetching private or organizational data from GitHub
- Anonymized URLs for images and videos uploaded to issues or pull requests, such as
https://private-user-images.githubusercontent.com/10001/20002.png?jwt=ABC10001, unless you use GitHub Enterprise Cloud with data residency
About GitHub's IP allow list
You can use GitHub's IP allow list to control access to your enterprise and assets owned by organizations in your enterprise.
You can approve access for a single IP address, or a range of addresses, using CIDR notation. For more information, see CIDR notation on Wikipedia.
To enforce the IP allow list, you must first add IP addresses to the list, then enable the IP allow list. After you complete your list, you can check whether a particular IP address would be allowed by any of the enabled entries in the list.
You must add your current IP address, or a matching range, before you enable the IP allow list. When you enable the allow list, the IP addresses you have configured are immediately added to the allow lists of organizations in your enterprise. If you disable the allow list, the addresses are removed from the organization allow lists.
Organization owners can add additional entries to the allow list for their organizations, but they cannot manage entries that are inherited from the enterprise account's allow list, and enterprise owners cannot manage entries added to the organization's allow list. For more information, see Managing allowed IP addresses for your organization.
You can choose to automatically add to your allow list any IP addresses configured for GitHub Apps installed in your enterprise. The creator of a GitHub App can configure an allow list for their application, specifying the IP addresses at which the application runs. By inheriting their allow list into yours, you avoid connection requests from the application being refused. For more information, see Allowing access by GitHub Apps.
About your IdP's allow list
If you are using Enterprise Managed Users with Entra ID and OIDC, you can use your IdP's allow list.
Using your IdP's allow list deactivates the GitHub IP allow list configurations for all organizations in your enterprise and deactivates the GraphQL APIs for enabling and managing IP allow lists.
By default, your IdP runs the CAP on the initial interactive SAML or OIDC sign-in to GitHub for any IP allow list configuration you choose.
The OIDC CAP applies to web requests and requests to the API using a user token, such as an OAuth token for an OAuth app or a user access token for a GitHub App acting on behalf of a user. The OIDC CAP does not apply when a GitHub App uses an installation access token. See About authentication with a GitHub App and