Vercel Firewall
EntryGuard can manage IP allowlisting on Vercel projects using the Vercel Firewall (WAF) API. When users start sessions, their IP is added to a firewall rule on your Vercel project. When the session ends, the IP is removed.
Prerequisites
- A Vercel account with a project that has the Firewall enabled
- A Vercel API token with access to the project
- An existing firewall rule configured as an IP allowlist
Step 1: Create the Firewall Rule in Vercel
Before configuring EntryGuard, you need to create a firewall rule in your Vercel project:
- Go to your Vercel project Settings > Firewall
- Click Add Rule
- Configure the rule:
- Condition: IP Address — is not one of —
127.0.0.1 - Action: Deny (or Challenge)
- Name: Give it a descriptive name (e.g., "EntryGuard IP Allowlist")
- Condition: IP Address — is not one of —
- Save and publish the rule
- Copy the Rule ID from the rule details (you'll need it when creating the resource)
EntryGuard uses 127.0.0.1 as a placeholder IP. When there are no active sessions, the rule contains only this placeholder so the rule stays valid. When a session starts, the placeholder is removed and the user's real IP is added.
Step 2: Generate a Vercel API Token
- Go to your Vercel Account Settings
- Click Create Token
- Give it a descriptive name (e.g., "EntryGuard")
- Set the scope to the team/project that contains your firewall rules
- Copy the token
Step 3: Add Vercel Credentials in EntryGuard
- Navigate to Credentials in the admin sidebar
- Click Add Credential
- Fill in:
- Name: A descriptive name (e.g., "Vercel Production")
- Provider: VERCEL
- Type: API Token
- API Token: Paste your Vercel API token
- Click Create
EntryGuard will automatically verify the credential by calling the Vercel /v2/user API.
Step 4: Add a Vercel Resource
- Navigate to Resources in the admin sidebar
- Click Add Resource
- Fill in:
- Name: A descriptive name (e.g., "Production Frontend Firewall")
- Credential: Select the Vercel credential you created
- Provider: VERCEL
- Resource Type: Firewall Rule
- Vercel Project ID: Your Vercel project ID (e.g.,
prj_xxxxxxxxxxxx) - Rule ID: The firewall rule ID from Step 1
- Team ID (optional): Your Vercel team ID (e.g.,
team_xxxxxxxxxxxx). Required if the project belongs to a team.
- Click Create
You can find your Vercel project ID in the project settings, or from the URL when viewing the project in the Vercel dashboard.
How It Works
When a user starts a session:
- EntryGuard reads the current firewall rule configuration from the Vercel API
- The user's IP is added to the IP condition list
- The
127.0.0.1placeholder is removed (if present) - The updated rule is written back via a PATCH request
When a session ends:
- The user's IP is removed from the IP condition list
- If no IPs remain,
127.0.0.1is re-added as a placeholder - The updated rule is written back
Supported Features
| Feature | Supported |
|---|---|
| Dynamic sessions (apply/revoke) | Yes |
| Static IP rules | Yes |
| Credential verification | Yes |
| Resource verification | Yes |
| Rule reconciliation | Yes |
| IPv6 | Yes |
Troubleshooting
"Firewall rule not found"
The rule ID in the resource config doesn't match any active rule in the Vercel project. Verify:
- The rule exists in the project's Firewall settings
- The rule has been published (draft rules are not visible via the API)
- The Rule ID is correct
Credential verification fails
- Ensure the API token is valid and not expired
- If the project belongs to a team, make sure the Team ID is set in the resource config
- Verify the token has sufficient permissions for the project