How to manage a conditional access by IP address policy

The Azion Conditional Access by IP Address policy allows you to create lists that allow access to your resources based on specific IP addresses. You can define particular IP addresses to enforce the policy, ensuring that only devices accessing from these addresses can reach the platform. This way, access from any IP address not on the organization’s allowlist should be blocked when this policy is enabled.

This guide explains configuring and managing conditional access by IP address policy through Azion’s platform.

Configuring a conditional access by IP address policy

Run the following POST request in your terminal, replacing [Token] with your personal token to configure your policy.

curl --request POST \
  --url https://api.azion.com/v4/auth/policies \
  --header 'Accept: application/json' \
  --header 'Authorization: [Token] ' \
  --header 'Content-Type: application/json' \
  --data '{
  "name": "My Policy",
  "active": true,
  "rules": [
    {
      "name": "My policy rule",
      "effect": "allow",
      "resource": "platform",
      "actions": ["access"],
      "condition": {
        "ip_address": [
          "19.34.213.23",
          "132.33.16.1/24"
        ]
      }
    }
  ]
}'

Where:

Key	Type	Description
name	String	Refers to the name of the conditional access policy. Up to 255 characters.
active	Boolean	Indicates whether the policy is active. Accepted values: `true` and `false`.
rules	Array of objects	Includes an array of rules that define the policy’s behavior.
name	String	In the rules’ array, refers to the name of the individual rule. Up to 255 characters.
effect	String	Refers to the rule’s effect. Accepted values: `allow` and `deny`.
resource	String	Specifies the resource or resources to which the rule applies, either as an exact URN or a pattern match. Note: this endpoint includes the specific case of `platform` as a resource, which is exclusively used to define global actions for the platform. Accepted value: `.*` (matches all resources).
actions	Array of strings	Specifies the action or actions to which the rule applies. Accepted values: `create`, `retrieve`, `update`, and `destroy`. Note: when using `platform` as the resource, the only accepted action is `access`.
condition	Text	Defines the conditions under which the rule applies.
ip_address	Array of strings	Includes an array of IP addresses that are evaluated by the condition. Note: mandatory field if using `platform` as the resource.

You’ll receive a response similar to the following:

{
  "state": "executed",
  "data": {
    "id": 0,
    "name": "My Policy",
    "last_editor": "my_username",
    "last_modified": "2025-02-24T14:15:22Z",
    "active": true,
    "rules": [
      {
        "name": "My policy Rule",
        "effect": "allow",
        "resource": "platform",
        "actions": ["access"],
        "condition": {
          "ip_address": [
             "19.34.213.23",
          "132.33.16.1/24"
          ]
        }
      }
    ]
  }
}

Where state refers to the status of the policy’s creation and id is the unique identifier of the policy.

Done. You’ve configured conditional access by IP address policy and it’s active. Once the policy is enabled, any user attempting to access the platform from an IP address not on the organization’s allowlist will receive an HTTP 403 status.

All the access attempts, both successful and unsuccessful for valid users for the account, are logged in the Activity History for auditing and monitoring purposes.

Updating the status of a conditional access by IP address policy

Run the following GET request in your terminal, replacing [Token] with your personal token to list all your configured account policies.

curl --request GET \
  --url https://api.azion.com/v4/auth/policies \
  --header 'Accept: application/json' \
  --header 'Authorization: [Token]'

You’ll receive a response similar to the following:

{
  "count": 123,
  "results": [
    {
      "id": 0,
      "name": "My policy",
      "last_editor": "my_username",
      "last_modified": "2025-02-24T14:15:22Z",
      "active": true,
      "rules": [
        {
          "name": "My policy rule",
          "effect": "allow",
          "resource": "platform",
          "actions": ["access"],
          "condition": {
            "ip_address": [
              "19.34.213.23",
              "132.33.16.1/24"
            ]
          }
        }
      ]
    }
  ]
}

Copy the id of the policy you want to update.
Run the following PUT request in your terminal, replacing [Token] with your personal token and <id> with the identifier you copied in the previous step, to update the status of your policy.

This replaces all policy rules with the new data provided.

curl --request PUT \
  --url https://api.azion.com/v4/auth/policies/<id> \
  --header 'Accept: application/json' \
  --header 'Authorization: 123' \
  --header 'Content-Type: application/json' \
  --data '{
  "name": "My policy",
  "active": false,
  "rules": [
    {
      "name": "My policy rule",
      "effect": "allow",
      "resource": "platform",
      "actions": ["access"],
      "condition": {
        "ip_address": [
              "19.34.213.23",
              "132.33.16.1/24"
            ]
      }
    }
  ]
}'

In this example, using "active": false will disable the active rule.

You’ll receive a response similar to the following:

{
  "state": "executed",
  "data": {
    "id": 0,
    "name": "My Policy",
    "last_editor": "my_username",
    "last_modified": "2025-02-24T14:15:22Z",
    "active": false,
    "rules": [
      {
        "name": "My policy Rule",
        "effect": "allow",
        "resource": "platform",
        "actions": ["access"],
        "condition": {
          "ip_address": [
            "19.34.213.23",
            "132.33.16.1/24"
          ]
        }
      }
    ]
  }
}

Deleting a conditional access by IP address policy

Run the following GET request in your terminal, replacing [Token] with your personal token to list all your configured account policies.

curl --request GET \
  --url https://api.azion.com/v4/auth/policies \
  --header 'Accept: application/json' \
  --header 'Authorization: [Token]'

You’ll receive a response similar to the following:

{
  "count": 123,
  "results": [
    {
      "id": 0,
      "name": "My policy",
      "last_editor": "my_username",
      "last_modified": "2025-02-24T14:15:22Z",
      "active": true,
      "rules": [
        {
          "name": "My policy rule",
          "effect": "allow",
          "resource": "platform",
          "actions": ["access"],
          "condition": {
            "ip_address": [
              "19.34.213.23",
              "132.33.16.1/24"
            ]
          }
        }
      ]
    }
  ]
}

Copy the id of the policy you want to update.
Run the following DELETE request in your terminal, replacing [Token] with your personal token and <id> with the identifier you copied in the previous step, to delete the policy.

curl --request DELETE \
  --url https://api.azion.com/v4/auth/policies/<id> \
  --header 'Accept: application/json' \
  --header 'Authorization: [Token]' \
  --header 'Content-Type: application/json'

You’ll receive a response similar to the following:

{
  "state": "exectuted",
  "data": {
    "id": 0,
    "name": "My policy",
    "last_editor": "my_username",
    "last_modified": "2025-02-24T14:15:22Z",
    "active": true,
    "rules": [
      {
        "name": "My policy rule",
        "effect": "allow",
        "resource": "platform",
        "actions": ["access"],
        "condition": {
            "ip_address": [
              "19.34.213.23",
              "132.33.16.1/24"
            ]
        }
      }
    ]
  }
}

Done. Your policy was deleted from your account.