Solved: IP whitelisting in the internet facing environment...

Mitra_Subburaj · 01-17-2025 10:15 AM

Hello ,

We have a usecase where a client asked us to implement whitelisting and allow only a set of IP's provided by them. The public IP's provided by them has been static and we don't have any issues implementing them, but in order to test it and internal purpose, I provided my public IP address , but then its being dynamic. How do we handle this scenario while sticking to the clients requirement? If not, do we any alternate solutions other than mTLS and whitelisting while keeping security in mind

Appreciate any input!

MarciSoos

Hi @Mitra_Subburaj !
Thanks for the details!

If team members are working in such environment that they don't have a Fix IP addres/dedicated IP range, then it doesn't make sense to implement IP filtering, it would mean that your API is available for everybody in this universe.

I suggest you to use the IP filter only as an additional security layer.
For instance, you should implement oAuth, or set up an mTLS, at least request for an Api-key / basic auth.

Before going forward, pls clarify, whether the team members are working remotely, from 100% public internet, or they would use that API via some corporal VPN / internal network?

Best regards,
Marcello

View solution in original post

MarciSoos

Hi @Mitra_Subburaj !
I'm not 100% sure that I see the issue here, but let's give it a try.
So if I'm not mistaken,

you've successfully implemented the IP white-listing function
you're having trouble in testing it, due to the lack of fix IP address

What I would do in this case is
a) use some (VPN) service that provide you a static IP, there's plenty of them, for reasonable prices. I personally use NordVPN. Here is the link, but it's also possible that you don't even need a dedicated fix IP address, just use one of the server that the service provider offers you.

https://nordvpn.com/features/dedicated-ip/

b) you can ask your system/network admin to set up you an environment/remote server etc with a fix IP that you can use for testing purpose.

I hope I could help, if not, then pls provide more details / broader context of the problem.

Best regards,
Marcello

Mitra_Subburaj

@MarciSoos Thankyou for the input!

This might sound a bit dumb question to ask, so the IP's that we configure in the AccessControl Policy has to be a public IP right?!

And yes, like you mentioned the IP's provided by the client are static ones and they are able to access the proxy, but in order to provide the access to the internal team members, is there a way to configure it without using any VPN

MarciSoos

Hi @Mitra_Subburaj !
Thanks for the details!

If team members are working in such environment that they don't have a Fix IP addres/dedicated IP range, then it doesn't make sense to implement IP filtering, it would mean that your API is available for everybody in this universe.

I suggest you to use the IP filter only as an additional security layer.
For instance, you should implement oAuth, or set up an mTLS, at least request for an Api-key / basic auth.

Before going forward, pls clarify, whether the team members are working remotely, from 100% public internet, or they would use that API via some corporal VPN / internal network?

Best regards,
Marcello

Mitra_Subburaj

@MarciSoos exactly, we are not just using IP whitelisting as the only security measure, this is just additional layer of security on top of OAuth.

Coming to the environment , its not completely public, some env's are internet facing and some env's are not, and we are adding this policy only to the env's that are internet facing

mokit

Hi, @Mitra_Subburaj.

Could you please clarify which GCP service is using this dynamic public IP? Is it associated with a serverless application or a VM or perhaps a GKE-based service?

Regards,
Mokit

Mitra_Subburaj

Hi @mokit This is regarding the Access control policy in APIGEE, which requires static public IP's in order to whitelist them.

IP whitelisting in the internet facing environment, where public Ip's are dynamic