You will need to create a custom policy where the main processing rule would have a stylesheet can get the current request's clientIP by using <xsl:variable name="ip" select="dp:client-ip-addr()"/> and you would used the dp:ip-addr-match extension function to determine if the client IP is within the range you wish. Note that the ip-addr-match extension function does accept CIDR notation so you can check for the client IP being within a range of IPs. If the IP isn't in range, the you'd use a dp:reject. You can also customize your HTTP status code by having a stylesheet in your policy error rule that would do something like
<xsl:call-template name="apim:error"> <xsl:with-param name="httpCode" select="'403'" /> <xsl:with-param name="httpReasonPhrase" select="'Forbidden'" /> <xsl:with-param name="errorMessage" select="dp:variable('var://service/error-message')" /> </xsl:call-template>Regards,
This question has come up from time to time, so I just pulled my sample custom policy for this from my archives and placed in the API Connect Sample custom policies at https://github.com/ibm-apiconnect/policy (Look for clientIP-filter-policy). Again, just a sample, but give it a try and if nothing else it gives you a head start. If it doesn't meet your needs, you can modify as needed to meet your requirements.