In the cloud manager, you set "IP allow lists" to stop random public viewing your non-production / in-development instances. You set these lists to your office IPs and/or VPN IP.
However, this shotgun approach blocks essential tools, e.g. blazemeter, pagespeed insights, webpagetest, lighthouse etc.
In EPiServer DXP cloud env, you can whitelist headers (or useragent strings), so we used a header with a secret key to allow these tools to hit our non-prod envs.
How do we do this in AEM?
The AEM allow list is limited to 25 ips, and most of these services have hundreds of ips which change constantly.
This allowes an IP or IP CIDR block(s) separated by a comma. So you should be able to add a wide range of IP if you see the IPs are dynamic and changing very frequently.
Something like below:
22.214.171.124/16 which will allow more numbr of IPs.