To solve this question, the user needs to understand the concept of access control and the potential risks associated with hard coding IP addresses.

Option A: Can be done as it is an internal IP

• This option is partially correct. Internal IP addresses are typically static and can be hard coded for access control purposes within a private network. However, it is important to note that internal IPs can still be compromised by malicious actors who gain access to the network.

Option B: Can be done for internet-facing servers as there are no chances of IP conflicts

• This option is incorrect. Internet-facing servers are exposed to a larger attack surface and are at risk of IP spoofing or IP address conflicts. Hard coding IP addresses for access control purposes can lead to security vulnerabilities and is generally not recommended.

Option C: Is a good security practice

• This option is incorrect. While access control is an important security practice, hard coding IP addresses is not considered a good practice due to the potential risks involved, such as IP spoofing and IP conflicts.

Option D: Is a bad security practice

• This option is correct. Hard coding IP addresses for access control purposes is generally not recommended as it can lead to security vulnerabilities. It is important to use more secure methods of access control, such as multi-factor authentication and role-based access control.

Therefore, the correct answer is: The Answer is D.