That error means your Prefect Cloud account has an IP allowlist enabled and the request is coming from an IP that isn’t on it. Cloud is simply doing what it was told: “no entry without your name on the list.” How to fix it: - Find the public egress IP of the machine making the request:

curl <https://api.ipify.org>

If you might be hitting via IPv6, either add the IPv6 to the allowlist or force IPv4:

curl -4 <https://api.ipify.org>

- Have an account admin add that IP (or a CIDR range) to the account’s IP allowlist in Prefect Cloud: Account settings → Security → IP access rules. Docs: Secure access by IP address - If you’re behind a VPN, corporate proxy, NAT gateway, or running in CI/CD: - Add the proxy/NAT/VPN egress IP(s), not your local machine’s IP. - For GitHub Actions or other hosted runners, either use a self‑hosted runner behind a static egress IP or capture the job’s current egress IP at runtime and allow it (just note these can change). - CIDR is supported (e.g.,

203.0.113.0/24

). Add both IPv4 and IPv6 if your environment may use either. Common gotchas: - Your network silently prefers IPv6; your allowlist only has IPv4. Use

curl -4

or add the IPv6 address. - You’re on a different network than when the allowlist entry was added (home vs. office vs. VPN). - Requests are actually egressing through a corporate proxy with its own IP. If you tell me where you’re calling from (local machine, server, CI provider) and the egress IP you see from

curl <https://api.ipify.org>

, I can suggest the exact entry to add. Otherwise, we can sit here and admire the efficiency of a locked door without a key.

Short answer: yes. IP allowlisting is an Enterprise feature in Prefect Cloud. If you need it enabled, the official docs say to contact your account manager or Prefect sales: Secure access by IP address. Otherwise, you’ll need to remove the allowlist or move the request behind an allowed egress IP controlled by your org.

Yes—several, depending on how you like your triggers. The key constraint for your Enterprise account is the IP allowlist: whatever calls Prefect Cloud must egress from an allowed IP. Primary ways to trigger a flow run from your app: 1) Direct REST call (recommended) - Create the run from a deployment:

curl -X POST \
    "<https://api.prefect.cloud/api/accounts/<ACCOUNT_ID>/workspaces/<WORKSPACE_ID>/deployments/<DEPLOYMENT_ID>/create_flow_run>" \
    -H "Authorization: Bearer <PREFECT_API_KEY>" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "run-from-app",
      "parameters": {"foo": "bar"},
      "tags": ["triggered-by-app"],
      "idempotency_key": "optional-stable-key",
      "scheduled_start_time": null
    }'

- Docs: Create flow run from deployment 2) Prefect SDK helper (if your app can use Python)

from prefect.deployments import run_deployment

  fr = run_deployment(
      name="my-flow/my-deployment",
      parameters={"foo": "bar"},
      tags=["triggered-by-app"]
  )
  print(fr.id)

3) Event/Webhook automations (event-driven) - Expose a Prefect Cloud webhook or emit a Prefect event; an Automation can start your deployment in response. Still requires the request to come from an allowed IP. - Overview/example: Event-driven orchestration with Prefect Notes for Enterprise IP allowlists: - Your app must egress from an IP (or CIDR) on the allowlist. If your egress is dynamic, put it behind a static NAT/proxy and allowlist that IP. - If your network prefers IPv6, add both v4 and v6 to the list. - Use a service account API key stored in your app’s secret manager; don’t use personal keys. If you tell me where your app runs (VPC, on-prem, CI) and whether you have a static egress IP, I’ll suggest the simplest pattern and the exact allowlist entry.

Yes—there are a few supported ways to trigger runs from your app. They all call Prefect Cloud, so if your account has an IP allowlist enabled, the request must come from an allowed egress IP (or go through a proxy/NAT that is on the allowlist). Options: - Direct REST API (recommended for server-to-server) - POST a run for a specific deployment:

curl -X POST \
      "<https://api.prefect.cloud/api/accounts/{account_id}/workspaces/{workspace_id}/deployments/{deployment_id}/create_flow_run>" \
      -H "Authorization: Bearer <PREFECT_API_KEY>" \
      -H "Content-Type: application/json" \
      -d '{
        "parameters": {"example": 1},
        "tags": ["triggered-by-app"],
        "name": "run-from-app"
      }'

- Docs: Create flow run from deployment - Automations + Webhooks (event-driven) - Create an Automation with the action “Run deployment” and a “Webhook received”/event trigger. Your app POSTs to the webhook URL; the automation triggers the deployment. - Docs: Creating deployment triggers - Note: With IP allowlisting enabled, your webhook calls also need to originate from an allowed egress IP (it’s still the same Cloud API at the end of the day). - Use an allowlisted relay - If your app doesn’t have a stable egress IP, place a tiny service (e.g., in your VPC behind a static NAT gateway) that is allowlisted. Your app calls the relay; the relay calls Prefect Cloud. Tips: - Use a Service Account API key for your app. - If your network may use IPv6, allowlist both v4 and v6 as needed. - Confirm the egress IP from where your app runs; add that or its CIDR to the allowlist. If you tell me where your app runs (cloud/provider, behind NAT/VPN, etc.) and whether you have a static egress IP, I can suggest the cleanest setup and provide a ready-to-drop snippet.