Set Up Access Control Lists

Learn how to protect your upstream TCP application servers by denying/allowing access from certain client IP addresses, CIDR blocks, client IDs or JWT Claims.

Overview

In NGINX Management Suite API Connectivity Manager (ACM), you can apply global policies to API Gateway and Developer Portal clusters to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.


Before You Begin

Complete the following prerequisites before proceeding with this guide:

How to Access the User Interface

This guide provides instructions for completing tasks using the NGINX Management Suite API Connectivity Manager user interface (UI).

To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”

How to Access the REST API

You can use tools such as curl or Postman to interact with the NGINX Management Suite API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION>.

When making API calls by using curl, Postman, or any other tool, you need to provide your authentication information with each call. Refer to the API Overview for more information about authentication options.


Create ACL IP Restriction Policy

Take the steps in this section if you would like to deny or allow access to your API Gateways or Developer Portals to specific IP addresses or CIDR blocks with ACL lists.

  1. In the ACM user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
  2. Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
  3. On the Policies tab, select Add Policy from the Actions menu.
  4. Provide the desired Allowed IP Addresses and/or Denied IP Addresses. Valid values include IPv4, IPv6, and CIDR blocks. To allow or deny all, use the * symbol.

"policies": {
            "acl-ip": [
                {
                    "action": {
                        "deny": ["*"], // Polulate this array with your denied IP addresses 
                        "allow": ["10.0.0.1"]
                    }
                }
            ]
        }
Note:
  • If you only set an allow list, then the deny list will default to deny all and vice versa.
  • If IP addresses are not explicitly denied they will be allowed. To deny IP addresses as default, include the * symbol in the deny list.
  • The most specific rule applied will be used to allow or deny traffic. For example, IP addresses take priority over CIDR blocks. Smaller CIDR blocks take priority over larger ones.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a denied IP address. The host should return the default 403 Forbidden return code or the custom return code you have set.
  2. Contact the IP address from an allowed IP address. The traffic should not be denied.

Create ACL Consumer Restriction Policy

Specific consumer client IDs or token claims can be denied or allowed access to your API Gateways or Developer Portals by following the steps in this section.

  1. In the ACM user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
  2. Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
  3. On the Policies tab, select Add Policy from the Actions menu for the ACL Consumer Restriction Policy.
  4. Set the lookupVariable. To route based on either the APIKey Authentication or Basic Authentication, use “client.id” to limit the user based on client ID. For a token-based policy such as JSON Web Token Assertion or OAuth2 Introspection, you should use “token.{claimKey}. For example: “token.sub” would use the sub claim of a JWT Token.
  5. Provide the desired Allowed List and/or Denied List.

"policies": {
            "acl-consumer": [
                {
                    "action": {
                        "lookupVariable": "client.id",
                        "allow": ["allowed-user"],
                        "deny": ["denied-user"]
                    }
                }
            ]
        }
Note:
  • If you only set an allow list, then the deny list will default to deny all and vice versa.
  • If values are not allowed, they will be denied by default if neither list contains a wildcard.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a denied using a client that has been denied. The host should return the default 403 Forbidden return code.
  2. Attempt to contact the API Gateway or Developer Portal from an allowed client. The traffic should should be successfully proxied.