IP Restriction (with Deny - Test)
Overview​
The IP Restriction Policy allows administrators to control access to an API based on the IP address of the client making the request. It supports both Allow and Deny lists and accepts IPs in individual format or CIDR notation.
This policy is useful when securing APIs behind a firewall, limiting exposure only to trusted IPs, or explicitly blocking known malicious IPs.
Configuration Details​
The configuration interface includes two main toggles - Allow and Deny - and corresponding input fields to specify IPs or CIDR blocks.
| Field | Description |
|---|---|
| Allow (Enabled/Disabled) | When enabled, only the IP addresses or CIDR ranges specified here will be granted access to the API. If disabled, no IP-level allowlisting is applied. |
| Allow Value | Input one or more IPs (e.g., 192.168.0.10) or CIDR blocks (e.g., 192.168.0.0/24). Each entry must be confirmed by pressing Enter. |
| Deny (Enabled/Disabled) | When enabled, the IP addresses or CIDR ranges specified here will be denied access to the API. If disabled, no deny rule is enforced. |
| Deny Value | Input one or more IPs or CIDR blocks to be blocked. Each entry must be confirmed by pressing Enter. |
If both Allow and Deny are enabled:
- The system applies Allow rules first: only IPs listed in the Allow field are evaluated.
- Then, Deny rules override: if an IP matches both, it will be blocked.
Restrictions​
- IP addresses must follow IPv4 format or be valid CIDR ranges.
- Duplicate or malformed entries will result in a validation error.
- Both Allow and Deny lists can be used in combination, but care should be taken to avoid contradictory configurations.
Example IP Restriction Inputs and Results​
The following examples demonstrate how the Allow and Deny rules interact and what outcome a request from a given IP would result in:
| Allow | Deny | Request IP | Result | Explanation |
|---|---|---|---|---|
| - | 192.168.0.5 | 192.168.0.5 | Blocked | IP is explicitly denied. No Allow rule is defined, so all IPs are considered. |
| 192.168.0.0/24 | - | 192.168.0.10 | Allowed | IP matches the allowed CIDR range. No Deny rule is defined. |
| 10.0.0.0/8 | 10.0.0.100 | 10.0.0.100 | Blocked | IP matches both Allow and Deny; Deny takes precedence. |
| 10.0.0.0/8 | 192.168.0.0/16 | 192.168.1.1 | Blocked | IP is not in the allowed range and is also in the denied CIDR. |
| - | - | 192.168.0.1 | Allowed | No restrictions defined. All IPs are allowed by default. |
Always test your IP Restriction setup in API testing before deploying the API, especially when enabling both Allow and Deny rules together.