Skip to content

Cloud Native Access Point Whitelist

The Cloud Native Access Point (CNAP), a service managed by Platform One (P1), provides secure access to Game Warden-hosted environments at Impact Levels 4 and 5 (IL4 and IL5).

The CNAP Whitelist is a security mechanism that restricts access based on an approved list of IP addresses within the Department of Defense (DoD) Non-classified Internet Protocol Router Network (NIPRNet) boundary. Although most NIPRNet-assigned IPs are already included, specific users, data connections, or devices may require whitelisting to resolve access or connectivity issues with Game Warden-hosted IL4/IL5 environments.

When you need CNAP whitelisting

You must request CNAP whitelisting if:

  • Your application requires external data connections (ingress, egress, or bidirectional).
  • The connection originates outside of the Game Warden Authorization Boundary but inside the NIPRNet boundary (accredited at IL4 or IL5).

When CNAP whitelisting is not required

You do not need CNAP whitelisting if:

  • Your application is deployed to IL2 Staging (STG) or Production (PRD) — these environments connect via the internet, but must still be reflected in your Authorization Boundary Diagram.
  • Your application is deployed to IL6 STG/PRD — these classified environments are segregated from IL4/IL5 for security.
  • Your application does not require external data connections — no data leaves or enters the Game Warden Authorization Boundary.

Warning

  • CNAP will not approve IPs from commercial ISPs (e.g., Verizon, AT&T, Comcast) or home users, even on Government Furnished Equipment (GFE).
  • You can verify if an IP is DoD-registered at ARIN Whois.

How to verify if you need whitelisting

Test your connection by attempting to load: https://code.il4.dso.mil

  • If the page loads: Your IP is already whitelisted.
  • If the page times out: You must submit a whitelist request to P1.

Why you may not have CNAP access

The USAF’s Zero Trust Architecture requires explicit approval for CNAP access. The default is to deny access to unfamiliar IP ranges.

Agencies may request access proactively or after encountering issues. Agencies with frequently changing IP ranges are responsible for keeping their listings current.

Note

Game Warden does not manage or have visibility into CNAP’s allowlisted IPs.

Submit a CNAP whitelist request

Information required

Before submitting a CNAP whitelist request, you must gather detailed information about your external data connections. If you are unable to obtain this information, contact your government contract sponsor or Mission Owner for assistance.

The following information is required for each external connection:

Information Example
IP Addresses with Port/Protocol IP: 192.168.1.1 Port: 443 TCP
IP Address Range (if applicable) 192.168.1.1-192.168.1.254 Port: 443 TCP

How to submit your request

Requests must be submitted by a government user. Contractors must route requests through their government sponsor.

All requests must be submitted directly to P1 using the P1 General Help Form. If you need help submitting the form, contact the P1 Help Center.

Tip

You may need to submit a separate whitelist request for each government installation or environment.

What to include in your whitelist request

When submitting a CNAP whitelist request, you must provide the following:

  • Justification explaining why Appgate SDP cannot be used.
  • Confirmation that the IP addresses are registered to the DoD.
  • The smallest possible scope of IP addresses necessary for your use case.
  • Only the egress IP addresses — the IPs visible to external systems. If your traffic is routed through NAT or proxies, only the publicly exposed IPs are required.
  • IPs listed in CIDR notation. For example, 192.168.1.0/24.
  • The physical location or military installation associated with the IP addresses.
  • A valid point of contact (POC) for the request.
  • The CNAP-hosted site(s) your request pertains to.