For tenants that access their console over the Internet (not enterprise customers), they may want to lock down access to their tenant from certain CIDR ranges (like a corporate network). This features gives them the ability to do just that. In a multi-tenant environment, this means that requests made to the API must come from a range defined in the ACL. If possible, users should not even be able to authenticate from outside of the ACL ranges.
This is separate from enterprise extranets, which is the next level of security beyond a management ACL.
See Tenant IAM for more information.