Multi tenant ip whitelist



Has anyone managed to successfully implement a multi tenant IP firewall using VCL? If so would you mind sharing some code.

Our problem is that we can’t compare our client.ip with any ips loaded from edge-dictionaries and having one giant acl isn’t ideal when you have multiple tenants. We are trying to do something like this:

acl amazon_web_services {
  #list of ips
if (req.url ~ "/^\/([A-z0-9-]*)/") {
    set req.http.tenant_name =;

set req.http.tenant_ip_whitelist = table.lookup(tenant_ip_whitelists, req.http.tenant_name);

if(!req.http.Fastly-FF && (client.ip !~ amazon_web_services || client.ip !~ req.http.tenant_ip_whitelist)) {
  error 405 "Not allowed.";