End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

Access Control Routing

Learn how to restrict access to your application servers based on JWT claims or header values.

Overview

In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • API Connectivity Manager is installed, licensed, and running.
  • You have one or more Environments with API Gateway or Dev Portal clusters.
  • You have published one or more API Gateways or Developer Portals with either JSON Web Token Assertion or OAuth2 Introspection enabled.

How to Access the User Interface

This guide provides instructions for completing tasks using the API Connectivity Manager user interface (UI).

To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”

How to Access the REST API

You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

Create Access Control Routing Policy

Take the steps in this section if you would like to restrict access to Advanced Routes or HTTP methods based on either request headers or JWT tokens.

  1. In the API Connectivity Manager user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Proxy.
  2. Select Edit Proxy from the Actions menu for the desired API Proxy.
  3. On the Policies tab, select Add Policy from the Actions menu.
  4. Select Add route to configure a rule. Select one or more keys and approved values which will be checked before allowing the end user access to the API. Optionally select an Advanced Route or list of HTTP methods which will restrict the Access Control check to requests which match that configuration.
  5. Optionally set the return code, which should be returned to requests which do not satisfy the condition specified.

"policies": {
    "access-control-routing": [
            {
                "action": {
                    "conditions": [
                        {
                            "allowAccess": {
                                "httpMethods": ["GET"]
                            },
                            "when": [
                                {
                                    "key": "token.role",
                                    "matchType": "STRING",
                                    "matchOneOf": {
                                        "values": [
                                            "admin"
                                        ]
                                    }
                                },
                                {
                                    "key": "token.sub",
                                    "matchType": "REGEX",
                                    "matchOneOf": {
                                        "values": [
                                            "^.*test.com"
                                        ]
                                    }
                                }
                            ]
                        }
                    ]
                }
            }
        ]
Note:
  • Any requests which do not match a specified condition will be allowed to access the API Gateway or Developer Portal. Adding a rule with no route or HTTP method specified means that
  • Adding multiple match conditions in a rule requires that all conditions are matched in order to access the API.
  • Adding the same configuration of route and HTTP method to multiple rules will be treated as an OR condition.
  • Any requests which match multiple rules will be checked from most to least specific.
  • If matchType is not specified, STRING will be used.
  • If the token claim is an array value, STRING and REGEX behave differently.
    • STRING will match if any of the values contained in the array match one of the values.
    • REGEX will check against the array converted to a comma-separated string. For example, [ "first", "second", "third" ] will become first,second,third when the regular expression is checked against it.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a client
  2. Contact the IP address from an allowed IP address. The traffic should not be denied.