To Apply IP Whitelist

The IP Whitelist policy allows a list or range of IP addresses to access and interact with a configured API endpoint.

Whitelisting IP addresses to access your API endpoint

You can set up access in the following ways:

  • Access based on the IP address of the request

  • Access based on the origin IP address of the x-Forwarded-For header

Whitelisting Based on the IP address of the Request

  1. Click the version number of an API.

  2. On the API dashboard, click Policies.

    The list of any applied policies appears.

  3. In Apply New Policy.

  4. In Select Policy, choose IP Whitelist, and click Configure Policy.

  5. Specify an address or a range or addresses as follows:

    • Define a specific IP address. For example,

    • Define a subset of addresses by identifying a subnet mask, such as This includes the consolidated range: -

    • Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit. For example, setting 192.168 will include IP addresses from to

To whitelist a list of IP addresses:

  1. Enter one or more IP addresses in Whitelist.

    ip whitelist 051a0
  2. Click +.

    The greyed-out IP address and a deletion control appears below the Whitelist text entry field.

    ip whitelist 1b671
  3. Click Apply.

Whitelisting Based on the Origin IP Address of the x-Forwarded-For Header

If a client connects to an API through an HTTP proxy or a load-balancer, you might want to whitelist your client’s specific IP, which is the IP originating the request, instead of the address that appears in the request. For example, if you want to whitelist and this client is connecting through HTTP proxy, the request appears with the latter, public address. As a workaround, use the X-Forwarded-For header to identify the origin IP addresses of a request that was redirected to your endpoint.

To whitelist the IP address of an originating request using X-Forwarded-For header:

  1. In Apply "IP whitelist" Policy, use a Mule expression in IP Expression to instruct the service to look for the originating IP address in the 'x-Forwarded-For' header of the Mule message:

  2. In Whitelist, enter one or more IP addresses that appear in the request. Click +.

  3. Click Apply.

API Manager looks at the first IP address that ranks in the concatenated values of the 'X-Forwarded-For' header of the request.

Was this article helpful?

πŸ’™ Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!