IP Restriction 

On this page

Overview

Use the IP Restriction policy to restrict access based on the client IP address of the request. If the request does not meet the configured requirements, it is rejected with a 403 Forbidden error.

Restricting access to Tasks based on the client’s IP address is an extra layer of security for protecting your Snaplex nodes. By analyzing the access logs on the nodes, you can determine the range of IP addresses in use, and you can configure this policy accordingly.

We return the IP address of the client or last proxy that sent the request.

Load Balancer Prerequisite

You must configure the Groundplex load balancer correctly to forward the client IP address to the API endpoint. Only when the client IP address is captured correctly can the blocked IP address be displayed accurately in the error message for the 403 error.

NOTE: You cannot use request.remoteUser or request.isUserInRole() functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.

Policy Execution Order

This IP Restriction policy executes early in request processing to limit the effects of excessive requests from blocked IP addresses.

Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Settings

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.IP RestrictionIP-Restriction-DevShared
When this policy should be applied

An expression-enabled field that determines the condition to be fulfilled for the API policy to execute.

Truerequest.method == “POST”
Allowlist IPsThe list of IP ranges that are to be allowed. If empty, only the Denylist ranges will be considered.N/AN/A
Start IPThe starting IP address of the range.N/A203.0.113.0
End IPThe ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address.N/A203.0.113.8
DescriptionThe description of the range.N/ADevShared
Denylist IPs

The list of IP ranges that are to be blocked. If there are also IPs on the Allowlist, the Denylist takes precedence.

N/AN/A
Start IPThe starting IP address of the range.N/A192.0.2.10
End IPThe ending IP address of the range (inclusive). If this value is not given, the starting IP will be used, effectively allowing only that IP address.N/A192.0.2.11
DescriptionThe description of the range.N/A3rd_party_users