SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.
Access control policy consists of allowing or denying access of the API to specific client IP or IP ranges. In this blog, we describe how to restrict or limit the access to APIs to only specific client IP ranges.
Create an API Proxy
- Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open SAP API Management service.
- Click on the link Access API Portal to open API Portal.
- Navigate to the Define from the hamburger icon, then select the tab APIs and Click on the Create button
- Create a new API Proxy for any endpoint say GW Sample services (https://sapes4.sapdevcenter.com/sap/opu/odata/IWBEP/GWSAMPLE_BASIC/) from the SAP Gateway ES4 system. Provide the API Proxy details like Proxy name, title, description and base path and click on the Create button
- Click on the Save and Deploy button to activate the API Proxy.
With this we have activated an API Proxy which connects to the SAP Gateway OData API https://sapes4.sapdevcenter.com/sap/opu/odata/IWBEP/GWSAMPLE_BASIC/ and is accessible to any one on the public domain.
Restrict access to the API via Access control
In this section, we would apply the Access control security policy from SAP Cloud Platform, API Management to restrict access of the API to select Client IP ranges.
- Click on the Policies button of the newly created API Proxy
- Click on the Edit button from the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Access Control Policy available under the Traffic Management Policies segment.
- In the Create Policy dialog, provide the name of the policy say restrictAccess.
- In policy snippet window provide the sample policy provided below. Instead of the IP address of 10.20.30.40 provide a Client IP address to which you would like to provide access of the API.
<AccessControl async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'> <IPRules noRuleMatchAction='DENY'> <MatchRule action="ALLOW"> <SourceAddress mask="24">10.20.30.40</SourceAddress> </MatchRule> <MatchRule action="ALLOW"> <SourceAddress mask="24">22.214.171.124</SourceAddress> </MatchRule> </IPRules> </AccessControl>
In the above sample, the default rule is to restrict access to the API and using the MatchRule filter, specific IP ranges are allowed access. Therefore this snippet is a way to achieve IP white listing where in API access is provided to specific client IP ranges.
The mask value enables you to define the IP ranges of the Client IP which have access to the API. In the above sample, in case you would like to allow access to a specific Client IP then mask value should be set to 32 and for allowing access of the API to a client IP address of the range X.X.*.* the mask value should be set to 16.
Another flavor of the restricted access of the API based on client IP address is to have the default rule of allowing accessing to all the Client IP addresses and denying API access to the malicious IP Addresses which is also commonly known as IP black listing. The access control policy sample provided below can be used to achieve this scenario.
<AccessControl async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'> <IPRules noRuleMatchAction='ALLOW'> <MatchRule action="DENY"> <SourceAddress mask="24">10.20.30.40</SourceAddress> </MatchRule> <MatchRule action="DENY"> <SourceAddress mask="24">126.96.36.199</SourceAddress> </MatchRule> </IPRules> </AccessControl>
A combination of the match rule of Allow/Deny can be used in the Access Control policy. For more such samples refer the help documentation
- Click on the Update button to save the Policy changes
- Click on the Save button to save the changes to API Proxy
With this we have restricted the API access to only white listed client IP addresses.
Finally testing the flow
- Click on the API Proxy URL to open up the API Proxy in a new browser window and this should result in an Access denied error.