# Policy Based Access Control By Subnet 1. [Home](https://www.agilicus.com/) 2. [firewall](https://www.agilicus.com/anyx-guide-topic/firewall/) 3. Policy Based Access Control By Subnet ![Policy-Based Access Control by Subnet: ANYX network security solution visualizing subnet-level access policies for enhanced control and visibility. Secure your network with granular, policy-driven access management.](https://www.agilicus.com/www/470bf30e-image.png)## Policy Based Access Control By Subnet Allow by IP or subnet. Deny by IP or subnet. Augment user, role, identity based authorisation. [CONTACT](/contact-us/) ## Example: Policy Based Access Control By Subnet Typically you will use user-based, role-based access control in your applications with Agilicus AnyX. This strong identity-based firewall provides best in class security. In some circumstances you may wish to augment this with IP based access controls. This might be [geoip](/anyx-guide/policies/) based (e.g. allow Canada, deny Asia). It may also be more specific, where you specify your own subnets to allow-only, or deny-only. In this example we will show an example where we have two applications we wish to only be used from our corporate office address IP's. To do this, we will use: - [labels](/anyx-guide/labels/) - [policies](/anyx-guide/policies/) ### Sample Setup Assume we have two corporate offices. Office-1 has a subnet of 1.2.3.0/24, and Office-2 has a single IP of 1.2.4.20/32. Assume we have two applications (Payroll and HR) that are considered internal-use only, even for authenticated users. These are hosted in our AWS EC2 cloud. To simplify the setup, and save money, we are using the Agilicus Connector to enable private access into this virtual private cloud. (see "[Agilicus Connector in Private VPC In AWS EC2](/anyx-guide/agilicus-connector-in-private-vpc-in-aws-ec2/)"). We wish to block all access (even for authenticated users) from any IP not in our two corporate offices. ### High Level Steps In order to ensure access to the Payroll and HR web application only occurs from within the corporate networks, the high level steps are: 1. Create a label 'corporate-only' 2. Assign the label 'corporate-only' to the two applications (HR, Payroll) 3. Create a policy 'corporate-IP-only' - Add the two subnets to the 'Only' list 4. Test ### Details #### Step 1&2: Label Setup ![Policy-Based Access Control by Subnet: Secure your network by implementing granular access policies based on subnet. Visualize network security with clear diagrams showing subnet-based access restrictions. Learn how to configure AnyX for subnet-aware access control and enhance your overall security posture.](https://www.agilicus.com/www/6567ed50-image-1024x436.png) #### Step 3: Create Policy ![Policy-Based Access Control by Subnet: Visualize network security policies enforced through subnet-based access control. Image shows a diagram illustrating how AnyX by Agilicus implements fine-grained access control based on network subnets, enhancing security and compliance.](https://www.agilicus.com/www/d1c8b09b-image-1024x659.png) ![Policy-Based Access Control by Subnet: This diagram illustrates how AnyX by Agilicus uses policy-based access control to secure network access based on subnet. It shows users connecting from different subnets, with access permissions dynamically granted or denied based on defined policies, enhancing security and control.](https://www.agilicus.com/www/d85268e9-image-1024x659.png) ![Policy-Based Access Control by Subnet: This diagram illustrates how network subnets are used to enforce granular access control policies. Users on specific subnets are granted or denied access to resources based on defined policies, enhancing security and compliance. Agilicus AnyX enables this policy-based access control.](https://www.agilicus.com/www/89381e8c-image-1024x659.png) ![Policy-Based Access Control by Subnet: Visualize and enforce network security policies based on subnet. ANYX network segmentation ensures granular control and protects resources.](https://www.agilicus.com/www/be93ab1a-image-1024x659.png) ![Policy-Based Access Control by Subnet: This diagram illustrates a network security architecture where access to resources is controlled based on the originating subnet of the request. It shows various subnets (e.g., Subnet A, Subnet B) attempting to access a protected resource, with a policy engine evaluating the request based on the subnet and associated policies. Successful access is granted only when the subnet meets the defined policy criteria, enhancing security and network segmentation.](https://www.agilicus.com/www/94940e00-image-1024x659.png) ![Policy-Based Access Control by Subnet: This diagram illustrates how to implement policy-based access control using subnets. It shows different subnets (e.g., Engineering, Finance) with defined access policies, controlling which resources each subnet can access. This enhances network security by limiting lateral movement and enforcing the principle of least privilege.](https://www.agilicus.com/www/2b9a6b07-image-1024x659.png) ![Policy-Based Access Control by Subnet: ANYX network security solution implementing fine-grained access control based on IP subnets, enhancing network segmentation and security posture. Visualize how subnet policies control access in your network.](https://www.agilicus.com/www/5e64fc4e-image-1024x436.png) #### Test Let's test this out. First, with a device in your corporate network, try opening a browser to the payroll or HR application (e.g. navigate to https://profile.\_\_MYDOMAIN\_\_ and click on the icons). Observe that it works. Now, take your mobile device. Disconnect the WiFi so it is only using 5G. Repeat. Observe that you are blocked. You should see a message in your connector logs indicating the block.