# Managing IP access controls in Amazon WorkSpaces Secure Browser
**Important**
IP access controls only support IPv4. Users connecting from IPv6-only networks will be blocked.
WorkSpaces Secure Browser allows you to control which IP addresses your web portal can be accessed from. By using IP access settings, you can define and manage groups of trusted IP addresses, and only allow users to access their portal when they're connected to a trusted network.
By default, WorkSpaces Secure Browser allows users to access their web portal from anywhere. An IP access control group acts as a virtual firewall that filters which IP address a user can use to connect to the web portal. When associated with your web portal, IP access settings will detect the user IP before authentication to determine whether they are eligible to connect. Once connected, WorkSpaces Secure Browser continuously monitors a user's IP address to ensure they remain connected from a trusted network. If a user's IP changes, WorkSpaces Secure Browser will detect and terminate the session.
To specify the CIDR address ranges, add rules to your IP access control group, and then associate the group with your web portal. You can associate each IP access setting with one or more web portals. To specify the public IP addresses and ranges of IP addresses for your trusted networks, add rules to your IP access control groups. If your users access their web portal through a NAT gateway or VPN, you must create rules that allow traffic from the public IP addresses for the NAT gateway or VPN.
**Note**
Customers are responsible for understanding the potential legal issues that arise with their use of WorkSpaces Secure Browser, and must ensure that their use of WorkSpaces Secure Browser complies with all applicable laws and regulations. This includes laws that regulate an employer's ability to monitor an employee's use of WorkSpaces Secure Browser, including activities performed within the application.
**Topics**
+ [Creating an IP access control group in Amazon WorkSpaces Secure Browser](create-ip-access-controls.md)
+ [Associating an IP access setting with a web portal in Amazon WorkSpaces Secure Browser](associate-ip-access-controls.md)
+ [Editing an IP access control group in Amazon WorkSpaces Secure Browser](edit-ip-access-controls.md)
+ [Deleting an IP access control group in Amazon WorkSpaces Secure Browser](delete-ip-access-controls.md)
# Creating an IP access control group in Amazon WorkSpaces Secure Browser
**Important**
IP access controls only support IPv4. Users connecting from IPv6-only networks will be blocked.
To create an IP access control group, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the navigation pane, choose **IP access controls**.
1. Choose **Create IP access control group**.
1. In the **Create IP access control group** dialog box, enter a name (required) and description (optional) for the group.
1. Enter the IP address or CIDR IP range that will be associated to **Source**, and a **Description** (optional).
1. Under **Tags**, choose whether to tag a key value pair for each IP access control group.
1. When you are done adding rules and tags, choose **Save**.
# Associating an IP access setting with a web portal in Amazon WorkSpaces Secure Browser
**Important**
IP access controls only support IPv4. Users connecting from IPv6-only networks will be blocked.
To associate an IP access control group with an existing web portal, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the navigation pane, choose **Web portals**.
1. Select the web portal, and choose **Edit**.
1. Under **IP access control group,** and select the IP access control groups for the web portal.
1. Choose **Save**.
To associate an IP access control group when creating a new web portal, follow these steps.
1. Complete steps 1 through 4 in [Configuring portal settings for Amazon WorkSpaces Secure Browser](portal-settings.md) to access **IP Access Control (optional)**.
1. Choose **Create IP access controls**.
1. In the **Create IP Group** dialog box, enter a name (required) and description (optional) for the group.
1. Enter the IP address or CIDR IP range that will be associated to **Source**, and a **Description** (optional).
1. Under **Tags**, choose whether to tag a key value pair for each IP access control group.
1. When you are done adding rules and tags, choose **Create IP access control**.
1. Your IP access control group will be associated to this web portal when launched.
# Editing an IP access control group in Amazon WorkSpaces Secure Browser
You can delete a rule from an IP access setting at any time. If you remove a rule that was used to allow a connection to a web portal, any users with a current session will be disconnected from the web portal.
To edit an IP access control group, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the navigation pane, choose **IP access controls**.
1. Select the group and choose **Edit**.
1. Edit the existing rules **Source** and **Description** (optional), or add additional rules.
1. Under **Tags**, choose whether to tag a key value pair for each IP access control group.
1. When you are done adding rules and tags, choose **Save**.
1. If you updated an existing IP access setting, wait up to 15 minutes for the new or edited rule to take effect.
# Deleting an IP access control group in Amazon WorkSpaces Secure Browser
You can delete a rule from an IP access control group at any time. If you remove a rule that was used to allow a connection to a web portal, any users with a current session will be disconnected from the web portal.
To delete an IP access control group, follow these steps.
1. Open the WorkSpaces Secure Browser console at [https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/](https://console.aws.amazon.com/workspaces-web/home?region=us-east-1#/).
1. In the navigation pane, choose **IP access control group**.
1. Select the group and choose **Delete**.