Layer7 API Management

  • Private Community

  • 1.  Restrict services to interface

    Broadcom Employee
    Posted Oct 02, 2014 04:39 AM
      |   view attached

    Hi,

     

    a customer asked if we have a chance to restrict services to a port or interface.

    They want to allow some services only being access through the intranet. Means

    only a bunch of services are reachable from the internet.

     

    Regards

     

    Steffen Miller

    CA Technologies

    Principal Consultant, Presales

     

    CA Deutschland GmbH | Marienburgstrasse 35 | Darmstadt | 64297

    Office: +49 (6151) 949 329 | Mobile: +49 170 8538 262 | steffen.miller@ca.com

    HRB Darmstadt 1706<mailto:steffen.miller@ca.com%0b%0b>

    Geschäftsführer:  Sven Mulder, Jay H. Diamond, Navneet Govil

    <mailto:steffen.miller@ca.com%0b%0b>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

     

    <http://www.apiacademy.co/api360/?source=signature>

     

     

     

     



  • 2.  Re: Restrict services to interface
    Best Answer

    Broadcom Employee
    Posted Oct 02, 2014 08:43 AM

    Yes, this can be done on the gateway. If it was only one service policy, then you can go to Tasks->Manage LIsten ports and tie a specific service to a specific interface/port. If there are multiple services, then adding a policy fragment to the specific service policies that need to be restricted can be done. The policy can check the value of the variables ${request.tcp.localPort} and ${request.tcp.localIP} to determine which IP/port the request arrived at and reject it if did not come from the internal interface.



  • 3.  Re: Restrict services to interface

    Broadcom Employee
    Posted Oct 02, 2014 09:01 AM

    OK. Thanks.

    Works, but is not really nice, isn't it ?

     

    Regards

    Steffen



  • 4.  Re: Restrict services to interface

    Broadcom Employee
    Posted Oct 02, 2014 09:08 AM

    I guess that's debatable . Keep in mind you can always create a Policy Fragment and call it something like "Restrict to Internal Interface" and then just include the fragment in the appropriate service policies (or even expose as a template directly through the API portal). You could also leverage a global policy to centralize the check in a single location (many ways to meet the requirement).