If I were to use Apigee Edge between my customer and us what IP restriction options are available?
Specifically - inbound options where I can restrict customer IP ranges when they connect to Apigee
- outbound options where the traffic flows from Apigee to our network in which case all we need are the IP ranges used by Apigee (is there a static option enabled by calling support or self configuration) to be listed on our whitelist
What are the definitions of what Northbound and Southbound as mentioned in some of the articles and please elaborate
2 Likes
Good questions.
I think we use âNorthboundâ and âSouthboundâ sort of informally, without defining them. The analogy is to computer engineering parlance. In general,
- ânorthboundâ implies the interface facing the client, consumer, customer, or caller. This is inbound from the perspective of the API proxy.
- âsouthboundâ refers to the backend connection to an existing API implementation. Outbound from the perspective of the API Proxy.
To enforce inbound IP range restrictions on the northbound interface, you can use the AccessControl policy in an Apigee Edge proxy.
To get the IP addresses that your Apigee proxies use on the Southbound interface, you can inquire with Apigee Support if you have an enterprise license. For Edge trial or âApigee Edge Startâ, there is no fixed set of IP addresses for whitelisting.
In general we recommend that you configure 2-way TLS between Apigee Edge and your systems, on the southbound interface. That means you would self-issue a key, or get a cert+key from your CA, and provision it into Apigee Edge. And youâd also do the same and provision it on your firewall. Then both systems can authenticate the other. This is a best practice, and will work better in elastic cloud-based systems. Cloud-based systems may get moved or may scale out, leading to IP address changes. This means IP range based security is rather brittle.
@Dino
We have a paid, EDGE cloud instance, and I have not yet been able to find an âtrueâ client ip in the request headers. I see only a single internal style IP that Iâve always assumed to be a load balancer. We recently had someone ask us from which IP their requests were coming, and I was unable to answer.
Iâve tried creating a custom report that makes use of the âReferred Client IPâ dimension, but ended-up with only ânot setâ for hundreds of thousands of requests.
Do you have any guidance?
Are you asking a question about the inbound IP addresses? Inbound w.r.t. Apigee Edge proxies?
@williamking,
Referred Client IP contains value from âTrue-Client-IPâ header that gets populated by routing products such as Akamai. I guess, there is no Akamai configured here.
have you tried âproxy_client_ipâ dimesnion? Lets know the result.
Also, note that our guideline is to ask a new question separately.
Regards,
Rajesh Doda
Correct. Iâm asking about the IP address of the âappâ making the HTTP call to our EDGE proxy.
Sorry, I considered opening a new question but thought it might be related enough.
I donât believe Iâve added proxy_client_ip to a custom report. Everything Iâve ever seen in trace logs related to that value are internal IPs, not the actual request IP (i.e. outside of your AWS network).
I have an open ticket regarding this issue and will update this (or a new question) with whatever is figured out.
@williamking, did you get a clarification for your last query?
sorry delay. Have you checked the X-Forwarded-For header?
check the X-Forwarded-For header?