API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#API Connect
#Applicationintegration
#APIConnect
 View Only

IP Address filtering in API Connect Reserved Instance

By Chris Kempin posted Sun February 25, 2024 09:31 AM

  

With the 10.0.5.5 level of IBM API Connect Reserved Instance, there has been an infrastructure change that allows the client IP address to be visible to the portal and gateway components.

We have received several inquiries on rejecting API calls based on the IP address of the client.   The recent posting of API Gateway User Defined Policies (UDPs) at https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies includes a clientip-filter policy that can be leveraged to allow or deny clients based on CIDR.

Below is an example of how one can experiment and become familiar with this policy.

The first step is to package the policy for API Connect. Download the clientip-filter-policy.yaml file from https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies/clientip-filter and create a zip file with only this file inside.

To use the policy, it must be added to any IBM API Connect catalog where it will be used. For example, to add this to the Sandbox catalog, navigate to your provider organization (p-org) and choose the “Manage catalogs” tile, and then the “Sandbox” catalog tile. Under catalog settings, choose “Gateway services” and the “DataPower API Gateway (managed by IBM)” gateway service.

The “View policies” pulldown will bring you to the “Policies” screen where you select upload and specify your zip file

You will then see the clientip-filter in your policy list.

You are now able to use this policy in an API.

Switching to the “Develop” screen in our p-org,  we select Add to create a new API and choose OpenAPI 3.0 and New OpenAPI as shown below.

Fill in the requisite information.

I chose to deselect the Client ID security as this is an example API.

Edit the API

In the API designer, switch to the “Gateway” tab and under “User Defined, you will see the “Access Control by ClientIP” user defined policy. Drag it next to the invoke, and you will see the configuration panel. I chose to allow a CIDR that included my current IP address

To receive a response when invoked, add a “Set Variable” policy to return the invoking IP address as shown.

Save and make the API active. Switch to the “Test” tab and press send.

Return to the "Gateway" tab and change “allow” to “deny”

The subsequent test is below.

While this is a basic example, it should provide enough information to allow others to experiment with the capabilities.

0 comments
22 views

Permalink

https://community.ibm.com/community/user/blogs/chris-kempin/2024/02/25/ip-address-filtering-in-api-connect-ri