How do I restrict and specify access to IP addresses in Elasticsearch?
In modern microservices architectures, it is important to protect the system from unauthorized access, especially at the gateway level. As the entrance of our service architecture, the security of INFINI Gateway directly affects the stability and security of the entire system.
Extreme Gateway provides a robust IP access control feature that gives you the flexibility to control which IPs can access your services and which IPs must be denied.
Note: This feature is not available in the open-source, unpaid version of Elasticsearch.
This article will take you step-by-step through how to use a limit gateway to restrict or specify allowed/denied IP addresses to help you enhance the security of your gateway.
1. What is IP Access Control?
IP access control is a security mechanism that allows you to decide whether or not to allow access to your services based on the IP address of your clients. Extreme gateways enable and manage this feature through ip_access_control configuration. You can manage client access by configuring the following two ways:
- Whitelist: Only specified IP addresses are allowed to access.
- Blacklist: Denies access to a specified IP address.
These two methods can be used separately or in combination to ensure that only trusted IP addresses can access your services.
2. How do I configure IP access control?
In extreme gateways, configuring IP access control is very simple. All you need to do is add ip_access_control nodes to your routing configuration, enable controls, and specify which IP addresses you want to allow or deny.
Enable IP access control
Here's a simple example of how to enable IP access control:
router:
- name: my_router
default_flow: async_bulk
ip_access_control:
enabled: true- 1.
- 2.
- 3.
- 4.
- 5.
In the above configuration, enabled: true is the key to enabling IP access control. After that, you can choose to further configure the IP addresses that are allowed or denied.
3. Configure whitelist: Only specific IPs are allowed to access
If you want to allow only certain IP addresses to be able to access your service, you can use the whitelist configuration. This means that only the listed IP addresses can access your gateway service, and other IP addresses are automatically denied.
Suppose you only want the IP address 133.37.55.22 to be able to access the service, and no other IP addresses can access the service, the following configuration example is as:
router:
- name: my_router
default_flow: async_bulk
ip_access_control:
enabled: true
client_ip:
permitted:
- 133.37.55.22- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
In the configuration above, the IP addresses that are allowed to be accessed are listed under client_ip.permitted. Only requests with the IP address 133.37.55.22 will be approved, and requests from other IP addresses will be automatically rejected.
Screenshot of the actual case configuration:
0
The verification results are as follows:
0
0
0
4. Configure blacklist: deny access to specific IPs
If you want certain IP addresses to be inaccessible to your gateway service, you can use the blacklist configuration. This means that the listed IP addresses will be denied access, while the other unlisted IP addresses will be able to access normally.
For example, if you want to deny access to the service to the IP address 133.37.55.22, an example configuration is as follows:
router:
- name: my_router
default_flow: async_bulk
ip_access_control:
enabled: true
client_ip:
denied:
- 133.37.55.22- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
In this configuration, the IP addresses that are denied access are listed under client_ip.denied. Any requests from 133.37.55.22 will be rejected directly by the gateway, and requests from other IP addresses will not be affected.
Screenshot of the actual case configuration:
Image
The screenshot of the actual verification is as follows:
Image
Because the IP address is set to a blacklist, the client writes to an error.
Error inserting data: AuthorizationException(403, 'Access Forbidden.\n')- 1.
5. Configure the use of both whitelists and blacklists
You can also use a combination of whitelist and blacklist. For example, allowing access to certain IP addresses while denying some others.
Let's say you want to allow access to 133.37.55.22 but deny access to 192.168.1.1, configure as follows:
router:
- name: my_router
default_flow: async_bulk
ip_access_control:
enabled: true
client_ip:
permitted:
- 133.37.55.22
denied:
- 192.168.1.1- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
In this configuration, 133.37.55.22 will be allowed and 192.168.1.1 will be denied.
6. Scenarios that use IP address access control
1) Protect sensitive services: If you have some sensitive services that only specific clients can access, you can use a whitelist to ensure that only legitimate clients can access them.
2) Prevent malicious access: Blacklists can help you block known malicious IP addresses and prevent attackers from harming the system by trying to access the gateway.
3) Flexible access management: You can dynamically adjust the allowed or denied IP addresses according to your business needs to ensure that the gateway is always secure.
7. Summary
IP access control is a very useful security feature provided by Extreme Gateway, which helps you control who can access your services. With a simple configuration, you can specify which IP addresses are reachable (whitelisted) and which are notable (blacklist). Proper use of this feature can effectively improve the security of the system and prevent unauthorized access.