Updated on 2024-05-07 GMT+08:00

Configuring API Access Control

Access control protects backend services by controlling API access of IP addresses and accounts. Policies allow or deny the access of certain IP addresses or accounts to an API.

An access control policy and an API are independent of each other. An access control policy takes effect for an API only after it is bound to the API.

Constraints

An API can be bound only to one access control policy of the same restriction type in an environment, but each access control policy can be bound to multiple APIs.

Creating an Access Control Policy

  1. Log in to the ROMA Connect console. On the Instances page, click View Console of an instance.
  2. In the navigation pane on the left, choose API Connect > API Policies. On the Policies tab, click Create Policy.
  3. On the Select Policy Type page, select Access Control in the Traditional Policy area.
  4. On the page displayed, configure access control information.
    Table 1 Parameters for creating an access control policy

    Parameter

    Description

    Policy Name

    Enter an access control policy name. Using naming rules facilitates future search.

    Type

    Select the restriction type of the access control policy.

    • IP address: restricts API calling by IP address.
    • Account name: restricts API calling by account name. This option is available only to APIs using IAM authentication.

      The restriction also applies to the IAM users under the specified accounts. IAM users cannot be specified separately.

    • Account ID: restricts API calling by account ID. This option is available only to APIs using IAM authentication.

      The restriction also applies to the IAM users under the specified accounts. IAM users cannot be specified separately.

    Effect

    Select the access control type. This parameter is used along with Restriction Type.

    • Allow: Only specified IP addresses or accountsare allowed to call APIs.
    • Deny: Specified IP addresses or accounts are not allowed to call APIs.

    IP Addresses

    Mandatory for Type set to IP address.

    Click Add IP Address to add the IP addresses or IP address segments that are allowed or forbidden to call an API.

    Account Name

    Mandatory when Type is set to Account name.

    Enter the account names that are allowed or forbidden to call an API. Use commas (,) to separate multiple account names.

    Click the username in the upper right corner of the console. Choose My Credentials and obtain the account name on the API Credentials page.

    Account ID

    Mandatory when Type is set to Account ID.

    Enter the account IDs that are allowed or forbidden to call an API. Use commas (,) to separate multiple account IDs.

    Click the username in the upper right corner of the console. Choose My Credentials and obtain the account ID on the API Credentials page.

  5. Click OK.

    After the access control policy is created, you also need to perform the operations described in Binding an Access Control Policy to an API to make the policy take effect for the API.

Binding an Access Control Policy to an API

  1. On the Policies tab, filter policies by Access Control.
  2. Click the name of a policy to go to the details page.
  3. On the APIs tab, select the environment of the APIs you want to bind the policy to and click Bind to APIs.
  4. On the page displayed, select the APIs to bind the policy to.

    APIs can be filtered by API group and API name.

  5. Click OK.