How to whitelist traffic from Netlify build to WAF?

We have frontend application built and deployed on Netlify platform.
During the build process, it is calling APIs on our Content Management System to assemble the content.
Please see the diagram below.

What is the possible approaches to restrict traffic on our Web Application Firewall coming from Netlify build ?

Our research shows that Netlify do not have static IP address range.
We’ve seen in Netlify forum questions around this scenario, but answers are not very clear.
Could you point us to some document/guide.
I believe this is a very common enterprise requirements – backend part of CMS is never publicly exposed without some form of restrictions.


Hi @stts

This is currently not possible but we have an open feature request for it. I cannot promise when or if we’ll be implementing that on our Product.

You’d have to find a way to implement some sort of logic on your end.

I’m sorry we don’t have the news you’re looking for.

I’m available for any questions or concerns you may have!


Thank you for your response.

We have seen on other support forum posts discussing the concept of custom header which can be configured on Netlify.
The header is supposed to be send with every request generated from Netlify platform. Eventually the WAF could filter (whitelist) the traffic based on this request header.
Is it correct how we understand it?
Is this considered possible workaround ?


The headers and redirects you might have seen talk about site browsing, not site building. During the site builds, we don’t send any HTTP requests to your server, your build pipeline does. You might use any tool like Gatsby, Next.js etc. to fetch data from your CMS. You need to configure these requests to send a header - this is not something Netlify can do for you.