Default-deny network gate for non-portal API consumers. Each scope has its own CIDR allowlist. Portal users authenticated via Entra are not gated by this list — they can reach portal endpoints from any IP. Agents are gated by mTLS (cert), not IP. The lists below apply to: HCM webhooks, manager email links, monitoring tools, and per-tenant CSV ingest sources. Any IP not on the relevant scope's list is blocked when STRICT_AUTH_ENABLED=true.
Live state from the Front Door WAF policy. Matches on the real TCP source IP at the FD edge (NOT spoofable via X-Forwarded-For). Source of truth is Terraform; CIDR changes land via a PR opened from the “Request edit” button (coming in the follow-up UI PR).
App-layer scope allowlists checked inside the Function App via _AUTH_INGEST / _AUTH_CONTRACTOR_INGEST / etc. Reads X-Forwarded-For — superseded as primary gate by the WAF panel above; kept for defense-in-depth.