Product/components used and version/fix level:

Detailed explanation of the problem:

It does not work when a broad IP address range is added to the application identifiers to verify the IP address for whitelisting. The IP address range from 192.168.0.100 to 192.168.0.102 allows the application to call the API successfully when an API request with the IP address “192.168.0.101” is received, but the range from 10.0.0.0 to 192.168.255.255 does not.

The IP address is within both IP address ranges, so why is the second scenario not working?

This is to be expected since the IP address range for the second scenario combines invalid private and public IP address combinations. Please visit Difference between Private and Public IP addresses - GeeksforGeeks for more details about private addresses and public addresses.

Users can set multiple IP address ranges to whitelist both private and public IP addresses rather than setting a single, expansive IP address range.

Every infrastructure setup differs but you might consider not doing IP whitelisting at the API Gateway and instead do so before traffic even reaches the gateway. IMO, IP filtering at the network level rather than at the “application” (API GW) level offers a number of advantages.

API GW can certainly do IP filtering but likely preferable to do so there only as a last resort.