I came across this article that discusses this very thing, but I was surprised to see it was a web.config solution using URL rewrite rules.https://world.episerver.com/digital-experience-cloud-service/dxc-security/restricting-environment-access/
I was hoping for a more robust solution that allows me to use azure or cloudflare to restrict access that can be managed administratively, rather than by a developer in a web.config. Also even if the web.config way is the only option, how can you restrict based on multiple IP ranges? I am guessing I would just need a regex pattern that covers all ranges. Also, it also requires me to put host names in there, which can be added and changed by end users in the CMS as needed. Seems silly to have to publish a web.config change just to add a new host name. I am hoping there is a better way...
For this case, you should definitely consider using Cloudflare's IP Firewall feature. It is really cool and even supports more than just allowing/blocking IP ranges (see their options for yourself).
Because you are on DXC, you will have to ask Episerver Support to set up the rules you need on your behalf.