Solved: Ip Whitelisting for Apigee management APIS

Report Inappropriate Content · 03-17-2016 06:16 PM

Hi,

Can we put IP whitelisting for our management APIs. Our org is in a Public Cloud.

Thanks

Jaskaran

adas

@jaskaran.rm In our cloud there are no dedicated instances apart from message-processors. Even message-processors are shared in certain cases, so its not possible to do IP whitelisting for any of the shared components. Analytics DB and other internal components are anyways blocked from public access only management servers, message processors and other Apigee components. So you need not worry about IP whitelisting for those servers. Is there a specific reason why you are looking for this ?

View solution in original post

adas

@jaskaran.rm The management APIs are public APIs which are accessed with your org admin credentials. I didn't understand your question about putting IP whitelisting, because the APIs are hosted in cloud and are exposed to all our customers and trial users as long as you have a valid org and credentials. Am I missing something ?

If your requirement is to be able to whitelist a certain set of IPs, so that management calls can be made only from those IPs, that is not possible because its hosted on the cloud and serves multiple customers like any other SaaS offering.

Report Inappropriate Content

HI @arghya das ,

Yup. You are right these are public APIs on cloud.

This is not a requirement but more of a discussion if some of it is possible.

There are some components which are shared across orgs for which we cannot put any specific restriction.

But there are some components which are specific instances for an org alongside a message processor. Ex, Analytics DB, I guess. In this case, management API call will eventually land to this server. Is it technically possible for us to put a whitelisting in this case?

Thanks,

Jaskaran

sarthak

Analytics DB is not a specific instance for a customer, it is a central service. You cannot do IP whitelisting for any management APIs.

adas

@jaskaran.rm In our cloud there are no dedicated instances apart from message-processors. Even message-processors are shared in certain cases, so its not possible to do IP whitelisting for any of the shared components. Analytics DB and other internal components are anyways blocked from public access only management servers, message processors and other Apigee components. So you need not worry about IP whitelisting for those servers. Is there a specific reason why you are looking for this ?

Report Inappropriate Content

Cool. Thanks. Not worried about internal components access. Just was worried about someone getting access to the credentials of one of the users in Apihee and accessing Apigee management apis and being able to see data stored in KVM etc.

But I am happy with your explanation. Thanks

Thanks

Jaskaran

adas

@jaskaran.rm Great. If you are happy with the explanation, can you Accept the answer. It would help others who might have similar queries.

Just for your information, we are also going to rollout a feature for encrypted KVM so that folks querying management api cannot see the contents of the KVM. The same feature exists today with "vaults" but the drawback with vaults is that it can only be used with node.js and apigee-access. The encrypted KVM feature is currently in development and is designed to address these sort of use-cases.

Report Inappropriate Content

Thanks @arghya das Encrypted KVM will be awesome. I know the issue with vault being accessible from node. I am also waiting for a policy to access that.

akoo

Hello all, I wanted to add an important note: encrypted KVMs are here. Details are in our documentation: http://docs.apigee.com/api-services/reference/key-value-map-operations-policy . You now have an option for encrypted data without having to use Node.js.