IP Allowlist Policy
The IP Allowlist policy allows you to create an explicit list of IP addresses that can access your deployed endpoints. IP addresses that aren’t on this list are rejected.
If you have an IP Allowlist policy assigned, you need to add all IP addresses that are coming through your exposed endpoint to the list.
IP Allowlist policy violations escalate to authentication errors for the DoS policy. You can configure the way protocol errors are handled in a DoS policy.
This source is IP address based. If an attacker can spoof the source IP address, these measures cannot prevent the attack. |
Differences with API Gateway Policies
The IP Allowlist policy is a list of all IP addresses allowed to connect to your endpoint, and this list applies to all applications. You can set up an API Gateway Allowlist policy per API list.
Example
You can set up an IP Allowlist policy to allow a.a.a.a
, y.y.y.y
, and z.z.z.z
.
Then, API-1 (/api1
) uses an API Allowlist policy that allows x.x.x.x
, and API-2 (/api2
) uses another policy that allows y.y.y.y
and z.z.z.z
.
-
IP Address
w.w.w.w
is rejected by both APIs, because it’s not listed in the IP Allowlist policy. -
IP Address
y.y.y.y
requesting/api1
, is allowed at the IP Allowlist policy level, and rejected by the API Allowlist policy at/api1
. -
IP Address
y.y.y.y
requesting/api2
, is allowed at the IP Allowlist policy level, and allowed by the API Allowlist policy at/api2
.
Prerequisites
To configure and use the security policies, you must:
-
Have the Anypoint Security - Edge entitlement for your Anypoint Platform account.
If you don’t see Security in Management Center, contact your customer success manager to enable Anypoint Security for your account.
-
Have Runtime Fabric on VMs/Bare Metal with inbound traffic configured. Anypoint Runtime Fabric is a container service that automates the deployment and orchestration of Mule apps and API gateways.
Refer to the Runtime Fabric documentation.
Runtime Fabric requires the Anypoint Integration Advanced package or a Platinum or Titanium subscription to Anypoint Platform.
-
Enable inbound traffic on Runtime Fabric to allow Mule apps and API gateways to listen on inbound connections.
Configure an IP Allowlist Policy
-
Navigate to Anypoint Security.
-
Click Create Policy, and select IP Allowlist.
-
Add a name for your policy in the Name field.
-
Under IP Allowlist, click Add IP.
-
Insert the range of IP addresses to the list. You must use the CIDR format for a range of IP addresses.
For example, using the IP address10.111.0.0/24
lists the addresses from10.111.0.0
to10.111.0.254
.
To add more IP address ranges, click Add IP again. -
Click Save Policy.