This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Environment specific IP Whitelisting

Posted on 01-21-2018 08:02 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I want to whitelist different IPs for different environment, and those IPs can have different masking.

Can I do it using AccessControl policy and KVM? Can I specify the whitelisted IPs and their respective mask values in KVM and then use those values in AccessControl polocy?

Please advise.

Thanks,

Sanjay

Solved Solved
2 5 770
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have come up with an approach where we can make it environment usable. And I think this approache can be used in places where using KVM may not be possible.

Steps:

1) Add an ACL policy file for Test, say: whitelist-ips-test

2) Add an ACL policy file for Production: whitelist-ips-test

3) Add the following conditional step in you proxy request preflow (ideally as the first step):

<PreFlow name="PreFlow"> <Request> <Step> <Name>whitelist-ips-test</Name> <Condition>environment.name equals "test"</Condition> </Step> <Step> <Name>whitelist-ips-prod</Name> <Condition>environment.name equals "prod"</Condition> </Step>

........

</PreFlow>

Then it will work based on the environment and not mix the IPs.

Thanks,

Sanjay

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
faijahmad
New Member
Reply posted on --/--/---- --:-- AM

Hope this answer by @dino will help you.

https://community.apigee.com/questions/30101/is-it-possible-to-ip-whitelist-the-developer-porta.html

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
faijahmad
New Member
In response to faijahmad
Reply posted on --/--/---- --:-- AM

Also see this too

https://community.apigee.com/questions/20507/can-i-configure-ip-whitelisting-from-apigee-to-my.html

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to faijahmad
Reply posted on --/--/---- --:-- AM

Hi Fajj,

Thanks for taking time to respond to my questions. But I am sorry to say that none of the links answer my question. I had been through to these links.

I know how whitelisting works using Access Control policy along with having different masking for different IPs (if you have multiple IPs to whitelist). I have tried it out already.

I will elaborate question. I have to whitelist x1.x2.x3.x4/24; z1.z2.z3.z4/24 in Dev and y1.y2.y3.y4/32 in Production. How do I put (for DEV env)?:

<SourceAddress mask="24">x1.x2.x3.x4</SourceAddress>

<SourceAddress mask="24">z1.z2.z3.z4</SourceAddress>

And then put (in PROD env):

<SourceAddress mask="32">y1.y2.y3.y4</SourceAddress>

in ONE Access Control Policy file. I can put them in one ACL file but then DEV IPs are whitelisted in PROD and vice-versa, which is not a desired situation.

Is it possible to use KVM? If yes then how?

Thanks,

Sanjay

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have come up with an approach where we can make it environment usable. And I think this approache can be used in places where using KVM may not be possible.

Steps:

1) Add an ACL policy file for Test, say: whitelist-ips-test

2) Add an ACL policy file for Production: whitelist-ips-test

3) Add the following conditional step in you proxy request preflow (ideally as the first step):

<PreFlow name="PreFlow"> <Request> <Step> <Name>whitelist-ips-test</Name> <Condition>environment.name equals "test"</Condition> </Step> <Step> <Name>whitelist-ips-prod</Name> <Condition>environment.name equals "prod"</Condition> </Step>

........

</PreFlow>

Then it will work based on the environment and not mix the IPs.

Thanks,

Sanjay

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

One issue with using this approach is that for any change in KVM we do not need to redeploy the API Proxy whereas for any change with this approach we need to redeploy the API proxy.

Jump to Solution
0 Likes