SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.
Access control policy consists of allowing or denying access of the API to specific client IP or IP ranges. In this blog, we describe how to restrict or limit the access to APIs to only specific client IP ranges.
In this section, we would apply the Access control security policy from SAP Cloud Platform, API Management to restrict access of the API to select Client IP ranges.
Click on the Policies button of the newly created API Proxy
Click on the Edit button from the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Access Control Policy available under the Traffic Management Policies segment.
In the Create Policy dialog, provide the name of the policy say restrictAccess.
In policy snippet window provide the sample policy provided below. Instead of the IP address of 10.20.30.40 provide a Client IP address to which you would like to provide access of the API.
In the above sample, the default rule is to restrict access to the API and using the MatchRule filter, specific IP ranges are allowed access. Therefore this snippet is a way to achieve IP white listing where in API access is provided to specific client IP ranges.
The mask value enables you to define the IP ranges of the Client IP which have access to the API. In the above sample, in case you would like to allow access to a specific Client IP then mask value should be set to 32 and for allowing access of the API to a client IP address of the range X.X.*.* the mask value should be set to 16.
Another flavor of the restricted access of the API based on client IP address is to have the default rule of allowing accessing to all the Client IP addresses and denying API access to the malicious IP Addresses which is also commonly known as IP black listing. The access control policy sample provided below can be used to achieve this scenario.