API Access Control Lists
In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.
When you add policies at the environment level, they will apply to all proxies hosted within that environment.
See the Learn about Policies topic for an overview of the different policy types and available policies.
Complete the following prerequisites before proceeding with this guide:
- API Connectivity Manager is installed, licensed, and running.
- You have one or more Environments with API Gateway or Dev Portal clusters.
- You have published one or more API Gateways or Developer
This guide provides instructions for completing tasks using the API Connectivity Manager user interface (UI).
To access the UI, go to the FQDN of your NGINX Instance Manager host and log in. On the Launchpad menu, select “API Connectivity Manager.”
You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.
Take the steps in this section if you would like to deny or allow access to your API Gateways or Developer Portals to specific IP addresses or CIDR blocks with ACL lists.
- In the API Connectivity Manager user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Proxy.
- Select Edit Proxy from the Actions menu for the desired API Proxy.
- On the Policies tab, select Add Policy from the Actions menu.
- Provide the desired Allowed IP Addresses and/or Denied IP Addresses. Valid values include IPv4, IPv6, and CIDR blocks. To allow or deny all, use the * symbol.
"policies": {
            "acl-ip": [
                {
                    "action": {
                        "deny": ["*"], // Polulate this array with your denied IP addresses
                        "allow": ["10.0.0.1"]
                    }
                }
            ]
        }
- If you only set an allow list, then the deny list will default to deny all and vice versa.
- If IP addresses are not explicitly allowed they will be denied. To allow IP addresses as default, include the
*symbol in the allow list.- The most specific rule applied will be used to allow or deny traffic. For example, IP addresses take priority over CIDR blocks. Smaller CIDR blocks take priority over larger ones.
- Attempt to contact the API Gateway or Developer Portal from a denied IP address. The host should return the default 403 Forbiddenreturn code or the custom return code you have set.
- Contact the IP address from an allowed IP address. The traffic should not be denied.
Specific consumer client IDs or token claims can be denied or allowed access to your API Gateways or Developer Portals by following the steps in this section.
- In the API Connectivity Manager user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
- Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
- On the Policies tab, select Add Policy from the Actions menu for the ACL Consumer Restriction Policy.
- Set the lookupVariable. To route based on either the APIKey Authentication or Basic Authentication, use “client.id” to limit the user based on client ID. For a token-based policy such as JSON Web Token Assertion or OAuth2 Introspection, you should use “token.{claimKey}. For example: “token.sub” would use the sub claim of a JWT Token.
- Provide the desired Allowed List and/or Denied List.
"policies": {
            "acl-consumer": [
                {
                    "action": {
                        "lookupVariable": "client.id",
                        "allow": ["allowed-user"],
                        "deny": ["denied-user"]
                    }
                }
            ]
        }
- If you only set an allow list, then the deny list will default to deny all and vice versa.
- If values are not allowed, they will be denied by default if neither list contains a wildcard.
- Attempt to contact the API Gateway or Developer Portal from a denied using a client that has been denied. The host should return the default 403 Forbiddenreturn code.
- Attempt to contact the API Gateway or Developer Portal from an allowed client. The traffic should should be successfully proxied.