1 files changed, 57 insertions, 0 deletions

diff --git a/doc/administration/monitoring/ip_allowlist.md b/doc/administration/monitoring/ip_allowlist.md
new file mode 100644
index 00000000000..adf9516733a
--- /dev/null
+++ b/doc/administration/monitoring/ip_allowlist.md
@@ -0,0 +1,57 @@
+---
+stage: Data Stores
+group: Memory
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# IP whitelist **(FREE SELF)**
+
+NOTE:
+We intend to [rename IP whitelist as `IP allowlist`](https://gitlab.com/groups/gitlab-org/-/epics/3478).
+
+GitLab provides some [monitoring endpoints](../../user/admin_area/monitoring/health_check.md)
+that provide health check information when probed.
+
+To control access to those endpoints via IP whitelisting, you can add single
+hosts or use IP ranges:
+
+**For Omnibus installations**
+
+1. Open `/etc/gitlab/gitlab.rb` and add or uncomment the following:
+
+   ```ruby
+   gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '192.168.0.1']
+   ```
+
+1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) GitLab for the changes to take effect.
+
+---
+
+**For installations using cloud native Helm charts**
+
+You can set the required IPs under the `gitlab.webservice.monitoring.ipWhitelist` key. For example:
+
+```yaml
+gitlab:
+   webservice:
+      monitoring:
+         # Monitoring IP whitelist
+         ipWhitelist:
+         - 0.0.0.0/0 # Default
+```
+
+---
+
+**For installations from source**
+
+1. Edit `config/gitlab.yml`:
+
+   ```yaml
+   monitoring:
+     # by default only local IPs are allowed to access monitoring resources
+     ip_whitelist:
+       - 127.0.0.0/8
+       - 192.168.0.1
+   ```
+
+1. Save the file and [restart](../restart_gitlab.md#installations-from-source) GitLab for the changes to take effect.