IP Whitelist Policy

The IP Whitelist policy allows you to create an explicit list of IP addresses that can access your deployed endpoints. IP addresses that aren’t on this list are rejected.

If you have an IP Whitelist policy assigned, you need to add all IP addresses that are coming through your exposed endpoint to the list.

IP Whitelist policy violations escalate to authentication errors for the DoS policy. You can configure the way protocol errors are handled in a DoS policy.

This source is IP address based. If an attacker can spoof the source IP address, these measures cannot prevent the attack.

Differences with API Gateway Policies

The IP Whitelist policy is a list of all IP addresses allowed to connect to your endpoint, and this list applies to all applications. You can set up an API Gateway Whitelist policy per API list.


You can set up an IP Whitelist policy to allow a.a.a.a, y.y.y.y, and z.z.z.z.
Then, API-1 (/api1) uses an API Whitelist policy that allows x.x.x.x, and API-2 (/api2) uses another policy that allows y.y.y.y and z.z.z.z.

  • IP Address w.w.w.w is rejected by both APIs, because it’s not listed in the IP Whitelist policy.

  • IP Address y.y.y.y requesting /api1, is allowed at the IP Whitelist policy level, and rejected by the API Whitelist policy at /api1.

  • IP Address y.y.y.y requesting /api2, is allowed at the IP Whitelist policy level, and allowed by the API Whitelist policy at /api2.


To configure and use the security policies, you must:

  • Have the Anypoint Security - Edge entitlement for your Anypoint Platform account.
    If you don’t see Security in Management Center, contact your customer success manager to enable Anypoint Security for your account.

  • Have Runtime Fabric with inbound traffic configured.
    Anypoint Runtime Fabric is a container service that automates the deployment and orchestration of Mule apps and API gateways.
    See the Runtime Fabric documentation.
    Runtime Fabric requires an Anypoint Platform Platinum or higher-level subscription.

  • Enable inbound traffic on Runtime Fabric to allow Mule apps and API gateways to listen on inbound connections.

Configure IP Whitelist Policy

  1. Navigate to Anypoint Security.

  2. Click Create Policy, and select IP Whitelist.

  3. Add a name for your policy in the Name field.

  4. Under IP White List, click Add IP.

  5. Insert the range of IP addresses to the list. You must use the CIDR format for a range of IP addresses.
    For example, using the IP address lists the addresses from to
    To add more IP address ranges, click Add IP again.

  6. Click Save Policy.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub