how to block external calls originating from few countries like russia

navjot_k
Participant II

How to block the traffic originating from few countries in APigee. We have a cloud based Apigee setup

Solved Solved
1 7 1,480
1 ACCEPTED SOLUTION

hi @Navjot Kaur I'll start with a caveat - there is no foolproof method you can use to block traffic from specific countries. There isn't anything that maintains the true source location of a request and a fundamental issue is that it is relatively easy to disguise that true IP address, for example by using a VPN. Someone in country A makes a connection to country B via a VPN and then sends requests to country C via that VPN. Because of this, the server receiving the request in country C will have the source IP address of the server in country B. And that is just one of the ways that country-level blocks can be overcome.

That said, one thing you could to do to reduce the amount of traffic coming from unwanted locations, is utilize a geolocation service. I cannot recommend any specific providers but if you do an internet search for that term you will get a number of options to choose from.

You would extract the source IP address, then use a service callout that passes the source IP address to the geolocation service. They identify which country they believe the IP address is from and then you evaluate their response and if it's a country that you don't want to serve, your callout raises an appropriate fault and stops the request.

Hopefully other Community members will add any alternative techniques they know about. If this has helped answer your question, please click the Accept link or alternatively let us know how we can further help.

View solution in original post

7 REPLIES 7

hi @Navjot Kaur I'll start with a caveat - there is no foolproof method you can use to block traffic from specific countries. There isn't anything that maintains the true source location of a request and a fundamental issue is that it is relatively easy to disguise that true IP address, for example by using a VPN. Someone in country A makes a connection to country B via a VPN and then sends requests to country C via that VPN. Because of this, the server receiving the request in country C will have the source IP address of the server in country B. And that is just one of the ways that country-level blocks can be overcome.

That said, one thing you could to do to reduce the amount of traffic coming from unwanted locations, is utilize a geolocation service. I cannot recommend any specific providers but if you do an internet search for that term you will get a number of options to choose from.

You would extract the source IP address, then use a service callout that passes the source IP address to the geolocation service. They identify which country they believe the IP address is from and then you evaluate their response and if it's a country that you don't want to serve, your callout raises an appropriate fault and stops the request.

Hopefully other Community members will add any alternative techniques they know about. If this has helped answer your question, please click the Accept link or alternatively let us know how we can further help.

Hi Marc

Thanks for your response. There is a report in Edge called GeoMap which gives details of traffic details country-vise. How this report is displaying the country data

We make use of a geolocation service. There's a good description of how that is done in our private cloud documentation for enabling geo aggregation and geo maps.

Hi Marc, can you suggest a geolocation service that can be used in production.

Hi @Navjot Kaur - the details you want are all in the link I shared above.

bdavolls
Participant II

Presuming this wont work on the new apigee integrated edge developer portal (non-drupal)?