- policyRef: name: ip-allowlist-flex config: ips: <array> // REQUIRED ipExpression: <string> // OPTIONAL, default: "#[attributes.headers['x-forwarded-for']]"
IP Allowlist Policy
Policy Name |
IP Allowlist |
Summary |
Allows a list or range of specified IP addresses to request access |
Category |
Security |
First Flex Gateway version available |
v1.0.0 |
Returned Status Codes |
403 - IP is rejected |
Summary
The IP Allowlist policy allows a list or a range of specified IP addresses access to a protected resource when a match is found between a source IP (specified when configuring the policy) and a list of individual IPs or range of IPs.
DataWeave 2.0 expressions define the source IP used by the policy to determine whether the IP belongs to the policy’s restricted IP list.
Configuring Policy Parameters
Flex Gateway Local Mode
In Local Mode, you apply the IP Allowlist policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:
Parameter | Required or Optional | Default Value | Description |
---|---|---|---|
|
Required |
N/A |
The list of IP addresses allowed access to the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Allowlist in Your Policy. |
|
Optional |
|
The DataWeave 2.0 expression to be used for extracting the IP address from this API request |
Flex Gateway Connected Mode
When you apply the IP Allowlist policy to your API from the UI, configure the following parameters:
Parameter | Description |
---|---|
IP expression |
The DataWeave 2.0 used for extracting the IP address from this API request. |
Allowlist |
The list of IP addresses allowed access to the API. You can define one IP or IP range at a time, as many times as required. For more information, see Specifying IP Addresses to Allowlist in Your Policy. |
Method & Resource conditions |
The option to add configurations either to a select few or to all methods and resources of the API. |
Specifying IP Addresses to Allowlist in Your Policy
Specify IP addresses to allow access to your policy based on:
-
The IP address of the request
-
The origin IP address that is determined by resolving a specific DataWeave expression, such as the x-Forwarded-For header
-
Any other origin.
Allowlisting Access Based on the IP address of the Request
Allowlist access based on the IP address of the request in any of the following ways:
-
Define a specific IP address by enumerating it in the Allowlist field, for example,
192.168.1.1
. -
Define a subset of addresses by identifying a subnet mask, for example,
192.168.3.1/30
, which includes the consolidated range192.168.3.01
through192.168.3.3
. -
Define a whole range of IP addresses by stating the relevant octets of the IP address you want to permit, for example, setting
192.168
, which includes IP addresses from192.168.0.0
through192.168.255.255
.
Allowlisting Access Based on the Origin IP Address of the x-Forwarded-For Header
If the client connects to your API through an HTTP proxy or a load balancer, you can allowlist the client’s specific IP address (the IP address originating the request) instead of the address that appears in the request.
For example, if you want to allowlist 192.168.2.3
(private IP) and the address of a client connecting through an HTTP proxy is 92.40.1.255
(public IP), the client requests appear with the public address using the proxy.
Typically, applications use the X-Forwarded-For
header to identify the origin IP addresses of a request that was redirected to your endpoint.
You can use a DataWeave 2.0 expression in the policy to instruct the service to look for the IP address in the x-Forwarded-For
header.
When you insert the IP address in the IP expression field of the policy parameters, Anypoint Platform is instructed to look for the starting IP address in the concatenated values of the x-Forwarded-For
header of the request.