How to block all calls from outside United States ?

sarthak
Participant V

Hi all ,

I have a requirement to block all calls originating from outside USA. This is due to data privacy issues.

IP based black listing using access control policy does not look very robust to me. What other options do I have ?

Sarthak

0 11 1,064
11 REPLIES 11

Not applicable

@sarthak , Do you want those calls to hit the Edge and then block or block them even before they hit edge ?

sarthak
Participant V

@Maruti Chand I am fine either way. As long as no API call coming from outside US goes beyond Apigee and gets an error response I am fine with that.

@sarthak

Is this on cloud or private cloud ?

If private cloud , I believe you can block all the calls outside the US using Dynect but not sure if you can customise the response .

Not applicable

For more sophisticated use cases I would make a service callout to a third party provider to geo locate the IP address. If an address is not allowed you can use RaiseFault with a 403 Forbidden.

A cache on this address would allow you to minimize latency for returning visitors and allow you to build your "blacklist" over time.

Apigee BaaS, IPInfoDB, etc provide Geolocation APIs suitable for this purpose.

Not applicable

You can use the

https://ipinfo.io/

API and use country in the response to block

Not applicable

Here's another site to get CIDR Access Control Lists (ACL) per country.

sarthak
Participant V

Thanks guys.

So IP address is my only option ?

I think these type of use cases are best handled by the DNS providers like route53 or dynect, or at the network firewall

Even though apigee can do it using the AccessControl policy -- it feels like not a good place to put that restriction.

sarthak
Participant V
@mukundha@apigee.com

Yes I agree. Thats why I am wondering for a hosted solution i.e. using Apigee cloud can Apigee do anything at the DNS or firewall layer ?

yeah, I think we should check with support, if this is a common data privacy issue, then am sure it should have a easier solution

Not applicable

Hi @sarthak , As I said earlier , you can know the calls outside the US at DNS level itself and if you really want those calls to Apigee for some logging etc , Load balancer can add a header and you can know at runtime instead of checking them in Mp which will be kind of redundant .

Not sure if the above can be done easily in cloud but that should be pretty easy in Private cloud .