A security policy that explicitly permits a known set of inputs (IPs, domains, users), denies everything else by default.
An allowlist (the modern name for whitelist) is a security policy where only items explicitly on the list are permitted, everything else is denied. Allowlists are the default-deny counterpart of blocklists (default-allow). Common uses: WAF rules that allow traffic only from known partner IPs, API gateways that allow only enumerated user agents, k8s NetworkPolicies that allow only enumerated pod-to-pod paths.
Default-deny is the safer architecture: a misconfiguration fails closed (something legitimate is blocked, surfaces as a bug to fix) instead of failing open (something malicious is permitted, surfaces as a breach). Most enterprise security audits ask whether your service-to-service calls are allowlisted. The answer 'we trust the VPC' is no longer acceptable post zero-trust.
See the part of the platform that handles allowlist (whitelist) in production.