API Gateway provides plug-ins of the IP Access Control type to enhance the security of API operations. These plug-ins are used to specify IP addresses or Classless Inter-Domain Routing (CIDR) blocks from which API requests can be sent. You can add an IP address to the whitelist or blacklist of an API operation to allow or reject API requests from that IP address.
When you configure a plug-in of the IP Access Control type, you can use two control modes:
- Allow: In the Allow mode, you can configure a whitelist to allow certain API requests.
The following types of whitelists are supported:
- You can configure a whitelist that includes only IP addresses. In this case, only API requests from the IP addresses in the whitelist are allowed.
- You can configure a whitelist that specifies applications and their IP addresses. In this case, each application can send API requests only from its IP addresses in the whitelist.
- Refuse: In the Refuse mode, you can configure an IP address blacklist. API Gateway rejects all API requests from the IP addresses in the blacklist.
You can configure a plug-in of the IP Access Control type in the JSON or YAML format. The two formats have the same schema and can be converted to each other by using a conversion tool. The following code snippet is a YAML template for configuring a plug-in of the IP Access Control type:
--- type: ALLOW # The control mode of the plug-in. You can set the control mode to ALLOW or REFUSE. items: - blocks: # A CIDR block from which API requests are allowed. - 184.108.40.206/24 # Specify a CIDR block. appId: 219810 # Optional. If you specify an application for a CIDR block, the CIDR block applies only to this application. - blocks: # An IP address from which API requests are allowed. - 220.127.116.11 # Specify an IP address. - blocks: # The CIDR block of a virtual private cloud (VPC) from which API requests are allowed. - 100.64.0.0/10 # Specify the CIDR block of a VPC. This item applies only to dedicated instances. When an API request is sent from a dedicated instance in a VPC, the source IP address of the API request is in the specified CIDR block.
Pay special attention to the last item in the code snippet. API Gateway allows you to send an API request from a dedicated instance in a VPC. In this example, the source IP address of the API request is in the CIDR block 100.64.0.0/10. If a dedicated instance is accessible within the VPC and also from certain public IP addresses, you can specify 100.64.0.0/10 as the source IP address of API requests that are sent from the CIDR of the VPC. You must specify the certain public IP addresses in another item if required.