IP Restriction rule

Use the IP Restriction rule to restrict access based on the client IP address of the request

Restricts access based on the client IP address where the request originated. If the request doesn't meet the configured requirements, it is rejected with a 403 Forbidden error.

Restricting access to Tasks based on the client’s IP address is an extra layer of security for protecting your Snaplex nodes. By analyzing the access logs on the nodes, you can determine the range of IP addresses in use, and you can configure this rule accordingly.

Important:
  • We return the IP address of the client or last proxy that sent the request.
  • You cannot use request.remoteUser or request.isUserInRole() functions with the Early Request Validator rule, which is applied before authentication. Instead, use the Authorized Request Validator rule and set the Condition parameter to the Boolean returned by these functions.

Prerequisite

You must configure the Groundplex load balancer correctly to forward the client IP address to the API endpoint. Only when the client IP address is captured correctly can the blocked IP address be displayed accurately in the error message for the 403 error.

Rule execution order

This IP Restriction rule executes early in request processing to limit the effects of excessive requests from blocked IP addresses.

Note: All expression enabled fields in API Policies take expressions from Understanding Expressions in SnapLogic and the API Policy Manager Functions
Field Description
When this rule should be applied An expression that defines one or more conditions that must be true for the rule to execute.

Default value: True

Example: The expression request.method == "POST" causes the rule to execute only on POST requests.

Allowlist IP's The list of IP ranges that are to be allowed. If empty, only the deny list ranges will be considered.
Start IP The starting IP address of the range.

Default value: N/A

Example: 203.0.113.0
End IP The ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address.

Default value: N/A

Example: 203.0.113.8
Description The description of the range.
Denylist IP's The list of IP ranges that are to be blocked. If there are also IPs on the Allowlist, the Denylist takes precedence.
Start IP The starting IP address of the range.

Default value: N/A

Example: 192.0.2.10
End IP The ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address.

Default value: N/A

Example: 192.0.2.11
Description The description of the range.
Description

Required. A brief description of this rule.

Default value: Only requests from the specified IP addresses are being accepted

Example: Allow/Deny IPs