Implementing IP Allowlist and IP Blocklist in Mulesoft
Overview
In this blog, we will look at how APIs can be secured using IP Allowlist and IP Blocklist policies. These policies act as gatekeepers at the network level. With an IP Allowlist, only trusted IP addresses or ranges are allowed to access the API, while everything else is blocked. With an IP Blocklist, specific unwanted IPs are denied access, while others are allowed. Together, they help ensure that only safe and trusted traffic can reach your API.
Implementing IPAllowlist and IPBlocklist:
Steps:
- First, we will create a simple API specification
2. Next, publish the API specification to Exchange so it can be reused and managed.
3. Create a new Mule project and scaffold it is using the specification. This generates the basic flows automatically.
4. Add two loggers to the main flow – one at the start and one at the end to track execution.
5. Create a new Mule configuration file for implementation. Add a Flow Reference in between the loggers to call this implementation flow.
6. Inside the implementation flow, add a Transform Message to return a simple XML response,
7. Next, we’ll import the API to the API manager from the exchange. For that, we need to navigate to the API manager and click on Add API. Then, select Add new API and select the Mule Gateway, proxy type as a Basic endpoint, and mule version as Mule4.
8. Select the API that is scaffolded with the application and click on next. As of now, no need to configure downstream and upstream. Then save it, and the API will be registered into the API Manager.
9. Next, we’ll add the API instance id and configure the flow name as the main flow in the API auto discovery.
10. Then we’ll deploy the application to Cloud Hub, while deploying we need to pass the ClientID, and client secret in properties tab.
11. Once the application is deployed, we’ll apply the polices to our API.
12. i) Apply IP Allowlist
- Configure trusted IP addresses or ranges in API Manager.
- Only those IPs will be allowed to access the API.
- Requests from all other IPs will be blocked.
Since the system is connected to the internet with an IP address that is not included in the allowlist, the API blocks the request and returns an error as shown in image:
Since the system is connected to the internet with an IP address that is included in the allowlist, the API accepts the request and returns a successful response as shown in image:
Note: You can use either IP Allowlist or IP Blocklist, but not both together. If one policy is already applied and you try to add the other, the system will stop you and only keep one IP policy active.
ii) Apply IP Blocklist
- Configure unwanted or suspicious IPs in API Manager.
- Requests from those IPs will be blocked.
- All other IPs are allowed.
Since the system is connected to the internet with an IP address that is included in the blocklist, the API blocks the request and returns an error as shown in image:
Since the system is connected to the internet with an IP address that is not included in the blocklist, the API accepts the request and returns a successful response as shown in image:
Note: You can use either IP Allowlist or IP Blocklist, but not both together. If one policy is already applied and you try to add the other, the system will stop you and only keep one IP policy active.
Even with this limitation, implementing either policy ensures that only trusted traffic reaches your APIs, strengthening security and maintaining operational control. Partner with TGH’s MuleSoft experts to simplify API security, optimize policy management, and enable seamless, reliable integrations. Secure your APIs and elevate your integration workflows today!
