diff --git a/internal/controller/route/handler.go b/internal/controller/route/handler.go
index f1eff84..34e2f52 100644
--- a/internal/controller/route/handler.go
+++ b/internal/controller/route/handler.go
@@ -353,6 +353,7 @@ func (r *Reconciler) assembleHttpproxy(ctx context.Context, owner *routev1.Route
 	// use `tcpproxy` for passthrough mode and `routes` for other termination modes
 	if owner.Spec.TLS != nil && owner.Spec.TLS.Termination == routev1.TLSTerminationPassthrough {
 		httpproxy.Spec.TCPProxy = &contourv1.TCPProxy{}
+		var ipWhiteList []contourv1.IPFilterPolicy
 		for _, sameRoute := range sameHostRoutes {
 			ports, err := r.getTargetPorts(ctx, &sameRoute)
 			// Continue if unable to fetch TargetPorts of the route.
@@ -362,6 +363,11 @@ func (r *Reconciler) assembleHttpproxy(ctx context.Context, owner *routev1.Route
 				continue
 			}
 
+			routeIpWhitelist := utils.GetIPWhitelist(&sameRoute)
+			if len(routeIpWhitelist) > 0 {
+				ipWhiteList = append(ipWhiteList, routeIpWhitelist...)
+			}
+
 			for _, port := range ports {
 				svc := contourv1.Service{
 					Name:   sameRoute.Spec.To.Name,
@@ -371,6 +377,9 @@ func (r *Reconciler) assembleHttpproxy(ctx context.Context, owner *routev1.Route
 				httpproxy.Spec.TCPProxy.Services = append(httpproxy.Spec.TCPProxy.Services, svc)
 			}
 		}
+		if len(ipWhiteList) > 0 {
+			httpproxy.Spec.VirtualHost.IPAllowFilterPolicy = ipWhiteList
+		}
 		if len(httpproxy.Spec.TCPProxy.Services) == 0 {
 			return nil, fmt.Errorf("no valid routes found")
 		}