Tenant Access Control List (ACL) is an Early Access Service and currently available only to customers on an Enterprise plan with the Attack Protection add-on.By using this feature, you agree to the applicable Free Trial Service terms described in Okta’s Master Subscription Agreement and to Okta’s Privacy Policy.To learn more about Auth0 releases, review Product Release Stages.
Tenant ACL Early Access Restrictions and LimitationsRestrictions
  • Customers on an Enterprise plan with the Attack Protection add-on can create up to 10 Tenant ACLs.
  • Each Tenant ACL can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).
Limitations
  • The User Agent identifier is not supported when using self-managed custom domains.
  • The auth0-forwarded-for header is not supported.
Coming soon
  • Customers on any Enterprise plan can create up to one (1) Tenant ACL.
Tenant Access Control List (ACL) provides the power and flexibility needed to handle a large variety of scenarios.

Block a request

Here is an example of a Tenant ACL rule that blocks incoming traffic from a specific geolocation country code. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/network-acls' \
  --header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
  "description": "Example of a blocking request",
  "active": true,
  “priority”: 2,
  "rule": {
    "action": { "block": true },
    "match": {  "geo_country_codes": ["GEO_COUNTRY_CODE"] },
    "scope": "authentication"
  }
}'

Example of a block page

Allow a request

Here is an example of a Tenant ACL rule that allows traffic only from a specific geolocation country code. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/network-acls' \
  --header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
  "description": "Example of allowing a request",
  "active": true,
  “priority”: 2,
  "rule": {
    "action": { "allow": true },
    "match": {  "geo_country_codes": ["GEO_COUNTRY_CODE"] },
    "scope": "authentication"
  }
}'

Redirect a request

Here is an example of a Tenant ACL rule that redirects all traffic from a specific geolocation country code. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/network-acls' \
  --header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
  "description": "Example of redirecting a request",
  "active": true,
  “priority”: 2,
  "rule": {
    "action": { "redirect": true, "redirect_uri": "REDIRECT_URI" },
    "match": {  "geo_country_codes": ["GEO_COUNTRY_CODE"] },
    "scope": "authentication"
  }
}'

Complex comparisons

You can combine the match and not_match operators in a single Tenant ACL rule to enforce fine-grained access policies. Here is an example of a Tenant ACL rule that evaluates the geo_country_code and geo_subdivision_code signals to block all traffic from a given country except for a specific state, region, or province within that country. 
curl --request POST \
  --url 'https://{yourDomain}/api/v2/network-acls' \
  --header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
  "description": "Creating a new access control list",
  "active": false,
  "priority": 1,
  "rule": {
    "action": { "block": true },
    "match": { "geo_country_codes": [ "GEO_COUNTRY_CODE"] },
    "not_match": { "geo_subdivision_codes": [ "GEO_SUBDIVISION_CODE" ] },
    "scope": "authentication"
  }
}'