All Products
Document Center

IP access control

Last Updated: Feb 22, 2018

IP access control is one of the API security components provided by the API Gateway and controls the source IP addresses (or IP address segments) that can call APIs. You can add an IP address to the whitelist or blacklist of an API to permit or reject the API requests from this IP address.

Functional architecture

  • A whitelist can contain IP addresses or its combination with application IDs. Requests from IP addressed not listed on whitelist will be rejected.
    • For IP addresses, only IP addresses from specified source are allowed to visit.
    • For IP address and application ID combinations, application IDs can only visit from their combined IP addresses. Visits from other IP addresses will be rejected.
  • Requests from IP addresses on the blacklist will be rejected by API Gateway.


How to use this function

Add an IP access control policy

Create an IP access control policy and bind it to the API to which the access needs to be controlled.


Create an IP access control policy

Open API Gateway Console and choose “Publish APIs” > “IP Access Control”.

Figure 1

Click “Create IP Control Policy” to display the access control creation window.

Figure 2

Enter the required information and click “OK”.

  • If you set the access control type to Allow, you are configuring a whitelist.
  • If you set the access control type to Refuse, you are configuring a blacklist.

Add a policy

After you create a whitelist or blacklist, you must enter the control policies corresponding to the list type. For a whitelist, you can enter the application ID, IP address, or combination of an application ID and an IP address. For a blacklist, enter an IP address.

Figure 3

Figure 4

Click “OK” to complete the configuration.

API binding

Bind the IP control policy to an API for the policy to take effect.

On the IP control policy list:

Figure 5

Find the required policy and bind API.

Figure 6

Select the corresponding API to bind the policy to it.

NOTE: Each API can have only one access control policy bound to it, no matter whether the policy is a blacklist or whitelist.

Delete an IP access control policy

Select a policy from the IP control policy list and delete it.

NOTE: If an IP control policy has been bound to an API, unbind it from the API before deleting it.

Check the bound API

You can find the API to which a policy is bound on the IP access control details page.


  1. When will the operation of binding or deleting an IP control policy take effect?

    On the API Gateway, a policy binding operation takes effect immediately.

  2. Can an API have different IP control policies bound in different environments?

    Yes. You can bind different IP control policies to an API in different environments. We recommend that you bind a specified IP address to the test environment and pre-release environment to ensure security of the test environment.

  3. Why is application blacklist not supported?

    API calls require application authorization. To prohibit API calls for an application, you only need to delete its authorization. Therefore, application blacklist is not needed.