Just launched πŸš€: Dashboard API client IP restrictions πŸ‘©πŸΌβ€πŸ’»πŸ”’

John-K
Meraki Employee

Admin security in a changing landscape

Previously, we've enabled customers to limit management plane access (that is, dashboard and dashboard API) to specific IP ranges, offering additional peace of mind to customers with consistent usage patterns.

 

This setting has always applied to both GUI and API access, but many of today's admins need to log in from mobile phones, guest WiFi services and from home offices, most of which have dynamically assigned IPs and are thus hard to predict. In fact, many customers have no strategic need to limit GUI access to any specific IP ranges.

 

However, this is usually different than customer- and partner-developed applications built on dashboard API, which are more likely to operate from a much smaller, more consistent range of IP addresses. Further, as the popularity of our marketplace partner applications explodes, there are cases where a customer might want to provide a partner with API access, but limit all API usage to pre-approved source IP addresses.

 

Enter API-specific client IP limits

Today, I'm pleased to announce the general availability of a new, API-specific feature for customers with such requirements. This new feature allows organization admins to prescribe a limited set of IP ranges from which dashboard API applications can authenticate, without imposing any limits to GUI access. In other words, if you know that your approved API applications always operate from a handful of IP ranges or addresses, you can tell us what those ranges are, and then we'll reject any attempted API access from outside of those allowed ranges.

 

This can be especially useful if you use services like Apigee to proxy your API traffic, and wish to disallow any API access to applications aside from your API proxy.

 

Get started

You can configure this feature via Dashboard or via Dashboard API.

 

Via Dashboard: Organization > Settings > Login IP ranges > "Limit Dashboard API access to these IP ranges"

Via Dashboard API: PUT /organizations/{organizationId}/loginSecurity

 

JohnK_0-1646081937589.png

 

However you choose to configure this feature, you will find that the formatting is the same as the existing, unchanged feature that limits both GUI and API access, making it easy to add this extra layer of security to your organizations.

 

As always, exercise due diligence before enabling any new security restriction. You can unwittingly lock out important API applications (e.g. those provided by ecosystem partners or service providers) from your organization if you do not include their IP ranges before enabling this feature. 

 

3 Comments
Alisdair85
Getting noticed

Great addition John! We have a number of integrated apps and customers that will like this locking down of source API calls 

MarkB2
Here to help

We would love to implement this but need to update policy in order to backhaul client VPN traffic from remote workers which is split-tunnel by default. Meraki does not document an IP range for api.meraki.com and it does not currently resolve to the publicly documented Meraki ranges. Can we get any info around this?

John-K
Meraki Employee

Hi Mark,

 

Quick update to my message:

 

While there is no specific IP range for api.meraki.com, if you have configured a site-to-site VPN as your default route, then the clients' web traffic will transit your VPN automatically. There's no additional configuration needed; you shouldn't have to manually 'include' any traffic in your VPN when you are using a VPN subnet as a default route. Keep in mind there are local Internet breakout rules available, so you can exempt other traffic from transiting the VPN:

JohnK_1-1646760091613.png

 

 

If you are not using Meraki MX, and need to manually route some traffic over your VPN, then I'd recommend using a FQDN rule rather than an IP-based rule for that type of PBR.

 

If you have no other options, then it's also possible to send API traffic to e.g. n101.meraki.com, instead of api.meraki.com. You can find the 'n101' value by logging into the dashboard via browser. That FQDN has a limited number of IP addresses listed under Help > Firewall info.