My IP Rulesets
IP Rulesets are your own per-IP rules grouped by purpose. You create one ruleset for each policy ("ingress allowlist", "C2 blocklist", "engineering bastions", "prod customer IPs"), populate it with rules, and reference the ruleset from any EDL Deployment that needs it.
Manage rulesets at
platform.ellio.tech/dashboard/edl-ip-rulesets.
Anatomy of a ruleset
| Field | Notes |
|---|---|
| Name | Used everywhere the ruleset is referenced. |
| ID | Stable UUID. Surfaced at the top of the detail page; copy with one click. Used in API calls. |
| Purpose | Allowlist or Blocklist. Set at creation; immutable. |
| Description | Free-text. |
| Status | Active or Inactive. Toggling off keeps the ruleset's content but stops it from being applied to any EDL Deployment that includes it. |
| Capacity | Up to 20,000 rules per ruleset. Surfaced as a progress bar at the top of the detail page. |
A workspace ships with two default rulesets:
- My Allowlist rules - default allowlist. Exclude this from EDL Deployments you create as blocklists, otherwise allowed IPs will appear as blocked.
- My Blocklist rules - default blocklist. Include this in EDL Deployments you create as blocklists.
Both default rulesets carry a built-in description that reminds you what to do with them.
Anatomy of a rule
Each rule inside a ruleset has:
| Field | Notes |
|---|---|
| IP Address | IPv4, IPv6, or CIDR. Public/global IPs only - private and reserved ranges are rejected. |
| Name | Optional human-readable label. |
| Expiration | Optional. When set, the rule is automatically removed at the chosen time. |
| Created | Auto-set timestamp. |
The detail page shows a Rules Breakdown card with active vs. expired counts, and the table supports filter (Active Only / Expired) and search by IP or name.
Adding rules
Single rule - Add Rule
A small modal with three fields:
- IP Address (required)
- Rule Name (optional)
- Set Expiration toggle - when on, exposes a date/time picker
Bulk - Bulk Import / Bulk Add Rules
A multi-line editor that accepts one IP/CIDR per line:
// Comments starting with // are ignored
192.0.2.100
198.51.100.0/24
2001:db8::1
The dialog shows:
- A 0 IPs counter that updates as you type.
- A Sanitize button that strips invalid lines.
- A Rule Name field that gets applied to every imported rule.
- A Set Expiration toggle.
- An Update existing rules toggle - when on, existing rules with the same IP are updated; when off, duplicates are silently skipped.
Bulk import is the fastest way to seed a ruleset from a Git-controlled source file, a Splunk lookup, or a SOAR action.
Attaching to EDL Deployments
A ruleset is just an IP set until it's referenced from a deployment. The ruleset detail page has an EDL Deployments section listing every deployment that includes the ruleset, plus an Add to Deployment button.
You can also attach a ruleset from the deployment side, in Step 2 - Sources.
Operational tips
- Use one ruleset per policy boundary, not per IP. Rulesets are designed to be referenced from many deployments.
- Set expirations on temporary rules. The 20,000 limit goes fast if you forget to clean up.
- Use the API to push rules from automation pipelines. Single-rule, batch, and time-based expiry endpoints are all available. See the Blocklist Automation API.
- Tag rule names with the source ("phishing-2025-Q2", "prod-customer-allow") so they're discoverable in the rule table later.
Editing a ruleset
The Edit IP Ruleset button at the bottom of the detail page lets you change the name, description, and active state. The purpose (allowlist vs. blocklist) is fixed at creation - to change it, create a new ruleset.
Programmatic management
Rulesets themselves are created in the platform UI; the API manages the rules
inside them and exposes IP-membership checks. The endpoints under
/v1/edl/ip-rulesets/:
GET /v1/edl/ip-rulesets/- list rulesetsGET /v1/edl/ip-rulesets/{ruleset_id}- get ruleset detailsGET /v1/edl/ip-rulesets/{ruleset_id}/rules- list rulesPOST /v1/edl/ip-rulesets/{ruleset_id}/rules- add a ruleGET /v1/edl/ip-rulesets/{ruleset_id}/rules/rule- get a specific rulePUT /v1/edl/ip-rulesets/{ruleset_id}/rules/rule- update a ruleDELETE /v1/edl/ip-rulesets/{ruleset_id}/rules/rule- delete a rulePOST /v1/edl/ip-rulesets/{ruleset_id}/rules:batch- batch operations on multiple IPsPOST /v1/edl/ip-rulesets/{ruleset_id}/rules:expire- expire rules by time thresholdPOST /v1/edl/ip-rulesets/{ruleset_id}/rules:check- IP-membership check inside a rulesetPOST /v1/edl/ip-rulesets/rules:check- IP-membership check across all rulesets
See the Blocklist Automation API reference.