Contact Us 1-800-596-4880

IP Allowlist Policy

Policy Name

IP Allowlist

Summary

Allows a list or range of specified IP addresses to request access

Category

Security

First Flex Gateway version available

v1.0.0

Returned Status Codes

403 - IP is rejected

Summary

The IP Allowlist policy allows a list or a range of specified IP addresses access to a protected resource when a match is found between a source IP (specified when configuring the policy) and a list of individual IPs or range of IPs. The policy supports both IPv4 and IPv6 addresses.

DataWeave 2.0 expressions define the source IP used by the policy to determine whether the IP belongs to the policy’s restricted IP list.

Configuring Policy Parameters

Flex Gateway Local Mode

In Local Mode, you apply the IP Allowlist policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:

- policyRef:
    name: ip-allowlist-flex
  config:
    ips: <array> // REQUIRED
    ipExpression: <string> // OPTIONAL, default: "#[attributes.headers['x-forwarded-for']]"
Parameter Required or Optional Default Value Description

ips

Required

N/A

The list of IP addresses allowed access to the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Allowlist in Your Policy.

ipExpression

Optional

#[attributes.headers['x-forwarded-for']]

The DataWeave 2.0 expression to be used for extracting the IP address from this API request

Resource Configuration Example

- policyRef:
    name: ip-allowlist-flex
  config:
    ips:
      - "192.168.1.1"
      - "192.168.3.1/30"
      - "192.168.2"
      - "192.160"

Flex Gateway Connected Mode

When you apply the IP Allowlist policy to your API from the UI, configure the following parameters:

Parameter Description

IP expression

The DataWeave 2.0 used for extracting the IP address from this API request.

Allowlist

The list of IP addresses allowed access to the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Allowlist in Your Policy.

Method & Resource conditions

The option to add configurations either to a select few or to all methods and resources of the API.

Specifying IP Addresses to Allowlist in Your Policy

Specify IP addresses to allow access to your policy based on:

  • The IP address of the request

  • The origin IP address that is determined by resolving a specific DataWeave expression, such as the x-Forwarded-For header

  • Any other origin.

Allowlisting Access Based on the IP address of the Request

Allowlist access based on the IP address of the request in any of the following ways:

  • Define a specific IP address by enumerating it in the Allowlist field, for example, 192.168.1.1.

  • Define a subset of addresses by identifying a subnet mask, for example, 192.168.3.1/30, which includes the consolidated range 192.168.3.01 through 192.168.3.3.

  • Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit, for example, setting 192.168, which includes IP addresses from 192.168.0.0 through 192.168.255.255.

Allowlisting Access Based on the Origin IP Address of the x-Forwarded-For Header

If the client connects to your API through an HTTP proxy or a load balancer, you can allowlist the client’s specific IP address (the IP address originating the request) instead of the address that appears in the request.

For example, if you want to allowlist 192.168.2.3(private IP) and the address of a client connecting through an HTTP proxy is 92.40.1.255 (public IP), the client requests appear with the public address using the proxy.

Typically, applications use the X-Forwarded-For header to identify the origin IP addresses of a request that was redirected to your endpoint.

You can use a DataWeave 2.0 expression in the policy to instruct the service to look for the IP address in the x-Forwarded-For header.

When you insert the IP address in the IP expression field of the policy parameters, Anypoint Platform is instructed to look for the starting IP address in the concatenated values of the x-Forwarded-For header of the request.