Admin security in a changing landscape
Previously, we've enabled customers to limit management plane access (that is, dashboard and dashboard API) to specific IP ranges, offering additional peace of mind to customers with consistent usage patterns.
This setting has always applied to both GUI and API access, but many of today's admins need to log in from mobile phones, guest WiFi services and from home offices, most of which have dynamically assigned IPs and are thus hard to predict. In fact, many customers have no strategic need to limit GUI access to any specific IP ranges.
However, this is usually different than customer- and partner-developed applications built on dashboard API, which are more likely to operate from a much smaller, more consistent range of IP addresses. Further, as the popularity of our marketplace partner applications explodes, there are cases where a customer might want to provide a partner with API access, but limit all API usage to pre-approved source IP addresses.
Enter API-specific client IP limits
Today, I'm pleased to announce the general availability of a new, API-specific feature for customers with such requirements. This new feature allows organization admins to prescribe a limited set of IP ranges from which dashboard API applications can authenticate, without imposing any limits to GUI access. In other words, if you know that your approved API applications always operate from a handful of IP ranges or addresses, you can tell us what those ranges are, and then we'll reject any attempted API access from outside of those allowed ranges.
This can be especially useful if you use services like Apigee to proxy your API traffic, and wish to disallow any API access to applications aside from your API proxy.
Get started
You can configure this feature via Dashboard or via Dashboard API.
Via Dashboard: Organization > Settings > Login IP ranges > "Limit Dashboard API access to these IP ranges"
Via Dashboard API: PUT /organizations/{organizationId}/loginSecurity
However you choose to configure this feature, you will find that the formatting is the same as the existing, unchanged feature that limits both GUI and API access, making it easy to add this extra layer of security to your organizations.
As always, exercise due diligence before enabling any new security restriction. You can unwittingly lock out important API applications (e.g. those provided by ecosystem partners or service providers) from your organization if you do not include their IP ranges before enabling this feature.