Is there any fixed range or pattern in source IP address of APIGEE endpoint? Is it static or changes?

I am setting up a load balancer in Kubernetes which will allow access to only authorized IPs. I am considering APIGEE to use an abstraction layer to manage all the authentication, rate limiting, and other filters before the client request reaches the load balancer or the service endpoint.

I understand that using 'Access Control' policy in Apigee I can restrict the access of the Apigee endpoint to only authorized IPs. So I want to allow ONLY traffic in Kubernetes service (or load balancer) which goes through Apigee endpoint. In short, adding Apigee endpoints IP in the authorized networks in the load balancer is the identical solution I am considering at this point.

I went through a few articles and questions and I am still not sure whether or not the IP address of the Apigee endpoint (from which the requests are being sent to the Kubernetes Load Balancer) is static, and how to find it out. I tried sending a curl -v and I got the public IP of the endpoint which can also be retrieved from https://ipinfo.info/html/ip_checker.php

To summarize, here are my questions: 1. The IP address from which APIGEE sends the request to an endpoint is fixed or changes? If changes, how often? 2. Is there any fixed IP range per proxy in APIGEE?

Solved Solved
0 4 4,298
1 ACCEPTED SOLUTION

Apigee Edge SaaS uses a NAT layer for "egress". Targets (upstream) will see one of a few client IP addresses for each request being proxied through Apigee Edge. It's usually 3 addresses per zone.

To find the addresses for your org / environment, Build a proxy that connects to ip_checker.php, run it 10 times or so, you will see the full list of ~3 IP addresses used by the NAT layer.

Those addresses are mostly stable. They only disappear if something goes wrong with one of the associated hardware machines in the cloud datacenter. This happens, but rarely. Less than once per year. It's never a planned change.

Apigee does not document a fixed IP range for the NAT layer.

View solution in original post

4 REPLIES 4

Apigee Edge SaaS uses a NAT layer for "egress". Targets (upstream) will see one of a few client IP addresses for each request being proxied through Apigee Edge. It's usually 3 addresses per zone.

To find the addresses for your org / environment, Build a proxy that connects to ip_checker.php, run it 10 times or so, you will see the full list of ~3 IP addresses used by the NAT layer.

Those addresses are mostly stable. They only disappear if something goes wrong with one of the associated hardware machines in the cloud datacenter. This happens, but rarely. Less than once per year. It's never a planned change.

Apigee does not document a fixed IP range for the NAT layer.

Thank you for your response. So, I can not fully rely on these IPs which can change (As you said it's rare but it happens).

Would you mind suggesting the best way to allow only Authorized IPs to the load balancer IP in any kubernetes service or any other service which is publicly available?

The matter here is to secure the backend URL and not just the APIGEE URL.

Also, is it possible that the ~3 IPs (or 1 or 2) assigned to my proxy can be assigned to someone else later, in case there is a change in the IPs?

I can not fully rely on these IPs which can change

Yes, that's right. And really, doesn't everything change? Can you rely indefinitely on anything in life? As Heraclitus reminds us, Change is the only constant in life. And the Buddha tells us that Attachment is the root of all suffering. The lesson we should take is, let us not rely on things that we know are subject to change.

Would you mind suggesting the best way to allow only Authorized IPs to the load balancer IP in any kubernetes service or any other service which is publicly available?

I think you are asking about how to handle the rare case in which the IPs change. Unfortunately there is no webhook that alerts such a change. I suggest that you:

  • configure the inbound LB to allow the IP addresses that are available today
  • monitor the inbound LB , and if you detect a significant portion of inbound requests arriving from an unknown IP, investigate whether it is a new bonafide address used by the NAT layer. In which case, recofnigure the LB to allow this IP.
  • Monitor the NAT to detect changes in IP proactively. It's easy to do this with an echo service behind the LB. You'll need to insure some security here.

It's preferable to have 2-way TLS to ensure trust between the links rather than IP whitelisting. Cloud IPs change all the time, and TLS is well suited to solve the problem. Consider using TLS.

is it possible that the ~3 IPs (or 1 or 2) assigned to my proxy can be assigned to someone else later, in case there is a change in the IPs?

Yes, I suppose that is possible. Highly unlikely but possible. With TLS this obviously would be no problem.

A few years late, but in case someone finds this thread: You can now provision NAT IPs for a static IP address(es): https://cloud.google.com/apigee/docs/api-platform/security/nat-provisioning