> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure Your Public Minecraft Server

> Unwanted players can quickly destroy your hard work, but you can restrict access by letting in a specific set of IP addresses.

Unwanted players joining your Minecraft server can quickly destroy your hard work before you have a chance to kick them out.
The good news is since you're using ngrok, you can restrict access to your Minecraft server by only letting in a specific set of IP addresses.

<Tip>
  This example is focused on securing your Minecraft server using Traffic Policy.
  For more general instructions on using ngrok with Minecraft, including limitations of our [free plan](/pricing-limits/free-plan-limits/) and troubleshooting common issues, see our [using ngrok with Minecraft](/using-ngrok-with/minecraft/) guide.
</Tip>

## 1. Create a Traffic Policy file

On the system where your Minecraft server runs, create a file named `minecraft.yaml` and paste in the policy below, replacing `$YOUR_IP` and `$FRIEND_IP` with public IPs.
If you or your friends don't know theirs, ngrok has a simple [helper page](https://ipv4.ngrok.com/) that returns your public IP address.

```yaml theme={null}
on_tcp_connect:
  - actions:
      - type: restrict-ips
        config:
          enforce: true
          allow:
            - $YOUR_IP/32
            - $ANOTHER_FRIEND_IP/32
```

**What's happening here?** This policy checks whether every TCP connection originates from an IP address matching one on the `allow` list. If they match, the policy allows them connect to your ngrok agent and your Minecraft server, but if they don't, ngrok denies the request.

## 2. Start your Minecraft endpoint

On the same system where Minecraft runs, start your ngrok agent on port `25565`, which is the default for Minecraft, and include the `minecraft.yaml` file you just created.

```bash theme={null}
ngrok tcp 25565 --traffic-policy-file minecraft.yaml
```

Once the agent starts, take note of the random public TCP address assigned to your Minecraft server, like `tcp://8.tcp.us-cal-1.ngrok.io:10891`.

## 4. Try out your Minecraft endpoint

You and others can now connect to your Minecraft server at the public TCP address.
As long as your IPs match those in the `allow` list, you'll be able to connect.

## Optional: Get a permanent TCP address

With a production [pay-as-you-go account](/pricing-limits/), you can reserve a permanent TCP address for your Minecraft server, which means you and others won't need to change the URL after restartng the server or its host machine.

Navigate to the [**Domains** section](https://dashboard.ngrok.com/domains) of the ngrok dashboard and click **New +** to reserve the TCP address.
Next, restart your agent, replacing `tcp://1.tcp.ngrok.io:12345` with the TCP address you reserved.

```bash theme={null}
ngrok tcp 25565 --url tcp://1.tcp.ngrok.io:12345 --traffic-policy-file minecraft.yaml
```

## What's next?

* Read the [Minecraft guide](/using-ngrok-with/minecraft/) for details on free plan limitations and troubleshooting.
* View your Minecraft traffic in [Traffic Inspector](https://dashboard.ngrok.com/traffic-inspector) to verify that your IP restrictions are working.
* Track your monthly bandwidth and Traffic Policy executions on your [usage page](https://dashboard.ngrok.com/usage) to stay aware of any limitations you might reach, particularly on ngrok's [free plan](/pricing-limits/free-plan-limits/).
* Read more about [Traffic Policy](/traffic-policy), [core concepts](/traffic-policy/how-it-works), and [actions](/traffic-policy/actions) you might want to implement next.
