Connection Filter Policy
This policy specifies which IPs are allowed to send email and skip spam filtering or outright block the IP address from sending to your environment. There are no custom connection filter policies unlike the inbound anti-spam and outbound anti-spam policies.
Considerations before deployment
Generally you should limit IP's in the allow list since they skip filtering processes. If you are looking into this because you have a third party email solution sitting in front of exchange you should likely be looking into enhanced filtering instead.
Policy Configuration
You can specify up to 1,273 items in these lists.
Note
When using IP ranges Microsoft only allows /24 and /32 ranges. They recommend setting the other ranges in mail flow only if absolutely necessary. If the IP range is used by multiple domains and not dedicated for your organization, see Microsoft's solution for addressing that situation here.
Always allow messages from the following IP addresses or address ranges
Messages from these IP addresses skip all filtering except malware and high confidence phishing
KQL to find Inactive IPs
It is not uncommon to find old services, unknown IPs, or a range put in here while attempting to address another issue. It is a good idea to check old emails or ICANN Lookup to help possibly fine why an IP Address is in this policy. If no information can be found, alternatively you can use Advanced Hunting to find emails sent in the last 30 days from that IP Range.
Always block messages from the following IP addresses or address ranges
Messages from these IPs are outright rejected, and you cannot perform a message trace on messages blocked here.
Turn on safe list
Microsoft maintains a list of trusted senders that will skip spam filtering, again malware and high confidence phishing are still reviewed. To my knowledge this list is not public and is recommended to avoid false positive spam filtering.