From dabaff38b0345b554027caec553d7689c603977e Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Tue, 14 Apr 2026 16:31:44 +0200 Subject: [PATCH] Add restricted IP ranges --- .../configure-private-connectivity.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md b/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md index 62ed7093753..d2f76f3c37d 100755 --- a/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md +++ b/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md @@ -346,6 +346,8 @@ Mendix Cloud Private Connectivity currently supports exposing physical [subnet r * Multiple IP ranges separated by a comma, such as `192.0.2.0/24,198.51.100.0/24` * A single IP address, such as `10.100.0.5/32` +Do not expose broad IP ranges such as `0.0.0.0/0` and `::/0`. Mendix recommends only exposing the IP range of the target service or database. + #### Exposing Subnet Routes on a Windows Server {#private-connectivity-resources-expose-routes-windows} To expose subnet routes for an agent that is already running, run the following script on the machine where the agent is installed. @@ -477,3 +479,10 @@ The Mendix internal systems operate on the following subnets: As such, when you expose a subnet or a single IP address, it must not conflict with our private IP ranges. If you absolutely must use the subnets on which Mendix operates, please configure [Network address translation (NAT)](https://en.wikipedia.org/wiki/Network_address_translation) on your infrastructure. + +### Restricted IP Ranges + +To maintain robust security, network access to services and databases must be strictly controlled. As such, do not expose broad IP ranges such as: + +* `0.0.0.0/0` for IPv4 +* `::/0` for IPv6