diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 7fa9c9e5..f22e255a 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -19,7 +19,13 @@ resource "azurerm_linux_web_app" "main" {
   https_only          = true
 
   site_config {
-    ftps_state             = "Disabled"
+    ftps_state = "Disabled"
+    dynamic "ip_restriction" {
+      for_each = var.IP_ADDRESS_WHITELIST
+      content {
+        ip_address = ip_restriction.value
+      }
+    }
     vnet_route_all_enabled = true
     application_stack {
       docker_image     = "ghcr.io/cal-itp/eligibility-server"
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 1c35be88..5a4e3109 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -3,3 +3,7 @@
 variable "VELOCITY_ETL_SERVICE_PRINCIPAL_ID" {
   description = "Object ID from the registered application for the Velocity server ETL uploading: https://cloudsight.zendesk.com/hc/en-us/articles/360016785598-Azure-finding-your-service-principal-object-ID"
 }
+variable "IP_ADDRESS_WHITELIST" {
+  description = "List of IP addresses allowed to connect to the app service."
+  type        = list(string)
+}