IP Whitelisting

Not applicable

Hello there,

I want to block access to a new API, to a few IPs of our organisation. I know I can use the "Access Control policy" for the same. Is there a different way to do it? I mean without having to refer to the IP addresses in the API code. Thanks.

Solved Solved
0 3 1,146
1 ACCEPTED SOLUTION

hi @Sri, welcome to Apigee Community. There are a few different ways, here's a couple of ideas that might help.

The first one is to store the IP addresses either in KVM or in BaaS. You would need to add a policy to get the blocked IP address data from KVM or BaaS in your API Proxy flow and then pass that into the Access Control policy to enforce and, of course, you would also need to develop a way to manage the blocked IP addresses in the data store. If you think there would be a large volume of IP Addresses then BaaS would be a better option for the data store.

A second alternative is to develop a simple microservice and access it via a service call out in your API Proxy flow. You would independently maintain the microservice, make it accessible via an API call where you pass it an IP address and it responds with allowed or blocked. In your API Proxy flow you would extract the incoming IP address and then do the service call out and if it returns blocked then return an appropriate error to the client at that point. This would replace the Access Control policy.

You could implement that microservice as a node app in Edge, and you could also use BaaS for the data store with the IP addresses to block.

View solution in original post

3 REPLIES 3

Could you clarify the question? It sounds like you're asking how to whitelist IP addresses but not provide the IP addresses. This is challenging. 😉

Are you looking for other access control methods? Can you explain why you don't want to provide the IP addresses for the whitelist?

hi @Sri, welcome to Apigee Community. There are a few different ways, here's a couple of ideas that might help.

The first one is to store the IP addresses either in KVM or in BaaS. You would need to add a policy to get the blocked IP address data from KVM or BaaS in your API Proxy flow and then pass that into the Access Control policy to enforce and, of course, you would also need to develop a way to manage the blocked IP addresses in the data store. If you think there would be a large volume of IP Addresses then BaaS would be a better option for the data store.

A second alternative is to develop a simple microservice and access it via a service call out in your API Proxy flow. You would independently maintain the microservice, make it accessible via an API call where you pass it an IP address and it responds with allowed or blocked. In your API Proxy flow you would extract the incoming IP address and then do the service call out and if it returns blocked then return an appropriate error to the client at that point. This would replace the Access Control policy.

You could implement that microservice as a node app in Edge, and you could also use BaaS for the data store with the IP addresses to block.

Thanks for that. I will give these a try. :)