2FA: require from external only

Objective: We want to force users using 2FA when accessing GitLab CE from the outside

Deeper description: We have multiple internal networks ( for each of our offices and the servers ). Our GitLab CE can be reached from the internal networks as well as from the internet. We want an additional layer of security and decided to force users into 2FA. Anyhow we would assume that when the request comes from an internal IP, that the device/user has been successfully authenticated elsewhere. As a matter convenience we would like to disable the need to enter a 2FA code when accessing GitLAB from those internal networks.

Is it possible to enforce 2FA based on network or other rules?