All Products
Search
Document Center

API Gateway:IP address-based access control

Last Updated:Jul 12, 2019

IP address-based access control is one of the API security components available in API Gateway. This feature is used to control the IP addresses or IP address segments from which APIs can be called. You can add an IP address to the whitelist or blacklist of an API to permit or reject the requests for this API from the specified IP address.

IP address-based access control is now integrated into the plug-in system. The original throttling interface and console are still in use. IP address-based access control policies and IP address-based access control plug-ins belong to the same plug-in type and are subject to the binding restrictions of that type.

When you create or modify IP address-based access control policies in the original IP address-based access control interface or console, the data changes are synchronized to the plug-in system. However, the changes you made in the plug-in system cannot be synchronized to the original IP address-based access control interface or console.

Usage instructions

You can configure a whitelist or blacklist in an IP address-based access control plug-in.

  • Whitelist: You can configure a whitelist that consists of IP addresses or combinations of application IDs and IP addresses. API Gateway rejects requests from non-whitelisted IP addresses for the bound APIs.
    • An IP address whitelist allows only the requests from the whitelisted IP addresses.
    • An application ID and IP address whitelist allows only the requests sent by the whitelisted applications from the whitelisted IP addresses.
  • Blacklist: You can configure IP address blacklists to reject access from the blacklisted IP addresses.

Plug-in configurations

You can configure IP address-based access control plug-ins in the JSON or YAML format as these two formats use the same schema. You can use the yaml to json tool to convert the configuration format of an IP address-based access control plug-in. The following table describes a plug-in configuration template in the YAML format.

  1. ---
  2. type: ALLOW # The control type. Valid values: ALLOW and REFUSE. ALLOW indicates whitelist and REFUSE indicates blacklist.
  3. items:
  4. - blocks: # IP address segments.
  5. - 78.11.12.2 # You can configure IP addresses.
  6. - 61.3.9.0/24 # You can configure CIDR blocks.
  7. appId: 219810 # (Optional) The ID of an application. If appId is specified, the configured IP address segments take effect only on the specified application.
  8. - blocks: # IP address segments.
  9. - 79.11.12.2 # You can configure IP addresses.