How to limit access to development version of APi proxy in Edge?

Not applicable

I have an API proxy with dev, test, and production environment in Edge. I would like to limit access to dev and test proxies to a list or a range of IPs. The production should be wide-open. How can it be done?

Solved Solved
0 6 472
1 ACCEPTED SOLUTION

akoo
Participant V

Hi @Alexey Dmitriyev,

Please see documentation on the Access Control policy here. That will allow you to do exactly what you need.

For example, see the following to allow only following IP addresses:

<AccessControl name="ACL">
  <IPRules noRuleMatchAction="/DENY">
    <MatchRule action="/ALLOW">
      <SourceAddress mask="24">10.10.20.0</SourceAddress>
      <SourceAddress mask="24">10.10.30.0</SourceAddress>
      <SourceAddress mask="24">10.10.40.0</SourceAddress>
     </MatchRule>
  </IPRules>
</AccessControl>

View solution in original post

6 REPLIES 6

akoo
Participant V

Hi @Alexey Dmitriyev,

Please see documentation on the Access Control policy here. That will allow you to do exactly what you need.

For example, see the following to allow only following IP addresses:

<AccessControl name="ACL">
  <IPRules noRuleMatchAction="/DENY">
    <MatchRule action="/ALLOW">
      <SourceAddress mask="24">10.10.20.0</SourceAddress>
      <SourceAddress mask="24">10.10.30.0</SourceAddress>
      <SourceAddress mask="24">10.10.40.0</SourceAddress>
     </MatchRule>
  </IPRules>
</AccessControl>

Awesome. A noob question, can the SourceAddress refer to an Apigee environment variable so that it can be controlled per environment? In other word, if I want the API proxy code to be exactly the same in dev, test, and production, and use environment variables to control the bahavior, how can it be done?

@Alexey Dmitriyev , Your comment beats my answer by 2 minutes 🙂 Check my answer below. Keep us posted.

There are no noob questions in here 🙂 The SourceAddress cannot refer to an Apigee variable (environment-related or not) at this time. But you can leverage environment-specific substitution during deploy-time with tools like the Apigee Deploy Grunt Plugin or Apigee Deploy Maven Plugin.

And if you are fine with hard-coded values in the policies themselves, @Anil Sagar's suggestion below will work fine. The solution I proposed above lets you leverage a single policy instead of 1-policy per environment. If you need ability to change IP addresses without deployment, like KVM, you may have to custom build your own access control with a callout to a separate service, e.g., API BaaS.

@Alexey Dmitriyev ,

Just adding on top of @Alex Koo answer, To restrict same proxy by different environments , selectively apply policy mentioned by @Alex Koo using policy conditions & flow variable "environment.name".

PS: I haven't tested it but should work. You can verify same quickly.