End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

API Access Control Lists

Learn how to protect your upstream TCP application servers by denying/allowing access from certain client IP addresses, CIDR blocks, client IDs or JWT Claims.

Overview

In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.


Before You Begin

Complete the following prerequisites before proceeding with this guide:

How to Access the User Interface

This guide provides instructions for completing tasks using the API Connectivity Manager user interface (UI).

To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”

How to Access the REST API

You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.


Create ACL IP Restriction Policy

Take the steps in this section if you would like to deny or allow access to your API Gateways or Developer Portals to specific IP addresses or CIDR blocks with ACL lists.

  1. In the API Connectivity Manager user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Proxy.
  2. Select Edit Proxy from the Actions menu for the desired API Proxy.
  3. On the Policies tab, select Add Policy from the Actions menu.
  4. Provide the desired Allowed IP Addresses and/or Denied IP Addresses. Valid values include IPv4, IPv6, and CIDR blocks. To allow or deny all, use the * symbol.

"policies": {
            "acl-ip": [
                {
                    "action": {
                        "deny": ["*"], // Polulate this array with your denied IP addresses
                        "allow": ["10.0.0.1"]
                    }
                }
            ]
        }
Note:
  • If you only set an allow list, then the deny list will default to deny all and vice versa.
  • If IP addresses are not explicitly allowed they will be denied. To allow IP addresses as default, include the * symbol in the allow list.
  • The most specific rule applied will be used to allow or deny traffic. For example, IP addresses take priority over CIDR blocks. Smaller CIDR blocks take priority over larger ones.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a denied IP address. The host should return the default 403 Forbidden return code or the custom return code you have set.
  2. Contact the IP address from an allowed IP address. The traffic should not be denied.

Create ACL Consumer Restriction Policy

Specific consumer client IDs or token claims can be denied or allowed access to your API Gateways or Developer Portals by following the steps in this section.

  1. In the API Connectivity Manager user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
  2. Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
  3. On the Policies tab, select Add Policy from the Actions menu for the ACL Consumer Restriction Policy.
  4. Set the lookupVariable. To route based on either the APIKey Authentication or Basic Authentication, use “client.id” to limit the user based on client ID. For a token-based policy such as JSON Web Token Assertion or OAuth2 Introspection, you should use “token.{claimKey}. For example: “token.sub” would use the sub claim of a JWT Token.
  5. Provide the desired Allowed List and/or Denied List.

"policies": {
            "acl-consumer": [
                {
                    "action": {
                        "lookupVariable": "client.id",
                        "allow": ["allowed-user"],
                        "deny": ["denied-user"]
                    }
                }
            ]
        }
Note:
  • If you only set an allow list, then the deny list will default to deny all and vice versa.
  • If values are not allowed, they will be denied by default if neither list contains a wildcard.

Verification

  1. Attempt to contact the API Gateway or Developer Portal from a denied using a client that has been denied. The host should return the default 403 Forbidden return code.
  2. Attempt to contact the API Gateway or Developer Portal from an allowed client. The traffic should should be successfully proxied.