How to manage a conditional access by IP address policy
The Azion Conditional Access by IP Address policy allows you to create lists that allow access to your resources based on specific IP addresses. You can define particular IP addresses to enforce the policy, ensuring that only devices accessing from these addresses can reach the platform. This way, access from any IP address not on the organization’s allowlist should be blocked when this policy is enabled.
This guide explains configuring and managing conditional access by IP address policy through Azion’s platform.
Configuring a conditional access by IP address policy
- Run the following
POSTrequest in your terminal, replacing[Token]with your personal token to configure your policy.
curl --request POST \ --url https://api.azion.com/v4/auth/policies \ --header 'Accept: application/json' \ --header 'Authorization: [Token] ' \ --header 'Content-Type: application/json' \ --data '{ "name": "My Policy", "active": true, "rules": [ { "name": "My policy Rule", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "19.34.213.23", "132.33.16.1/24" ] } } ]}'Where:
| Key | Type | Description |
|---|---|---|
| name | String | Refers to the name of the conditional access policy. Up to 255 characters |
| active | Boolean | Indicates whether the policy is active. Accepted values: true and false |
| rules | Array of objects | Includes an array of rules that define the policy’s behavior |
| name | String | In the rules’ array, refers to the name of the individual rule. Up to 255 characters |
| effect | String | Refers to the rule’s effect. Accepted values: allow and deny |
| resource | String | Specifies the resource(s) to which the rule applies. Accepted value: *, for all resources |
| action | String | Specifies the action(s) to which the rule applies. Accepted value: *, for all actions |
| condition | Text | Defines the conditions under which the rule applies |
| ip_address | Array of strings | Includes an array of IP addresses that are evaluated by the condition |
- You’ll receive a response similar to the following:
{ "state": "executed", "data": { "uuid": "095be615-a8ad-4c33-8e9c-c7612fbf6c9f", "name": "My Policy", "active": true, "rules": [ { "name": "My policy Rule", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "19.34.213.23", "132.33.16.1/24" ] } } ] }}Where state refers to the status of the policy’s creation and uuid is the unique identifier of the policy.
Done. You’ve configured conditional access by IP address policy and it’s active. Once the policy is enabled, any user attempting to access the platform from an IP address not on the organization’s allowlist will receive an HTTP 403 status.
All the access attempts, both successful and unsuccessful for valid users for the account, are logged in the Activity History for auditing and monitoring purposes.
Updating the status of a conditional access by IP address policy
- Run the following
GETrequest in your terminal, replacing[Token]with your personal token to list all your configured account policies.
curl --request GET \ --url https://api.azion.com/v4/auth/policies \ --header 'Accept: application/json' \ --header 'Authorization: [Token]'- You’ll receive a response similar to the following:
{ "count": 123, "results": [ { "uuid": "095be615-a8ad-4c33-8e9c-c7612fbf6c9f", "name": "string", "active": true, "rules": [ { "name": "string", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "string" ] } } ] } ]}- Copy the
uuidof the policy you want to update. - Run the following
PUTrequest in your terminal, replacing[Token]with your personal token and<uuid>with the identifier you copied in the previous step, to update the status of your policy.
This replaces all policy rules with the new data provided.
curl --request PUT \ --url https://api.azion.com/v4/auth/policies/<uuid> \ --header 'Accept: application/json' \ --header 'Authorization: 123' \ --header 'Content-Type: application/json' \ --data '{ "name": "string", "active": false, "rules": [ { "name": "string", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "string" ] } } ]}'In this example, using "active": false will disable the active rule.
Alternatively, you can use a PATCH request to partially update a policy, adjusting one or more fields of an existing policy without affecting other fields.
:::
- You’ll receive a response similar to the following:
{ "state": "executed", "data": { "uuid": "095be615-a8ad-4c33-8e9c-c7612fbf6c9f", "name": "My Policy", "active": true, "rules": [ { "name": "My policy Rule", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "19.34.213.23", "132.33.16.1/24" ] } } ] }}Deleting a conditional access by IP address policy
- Run the following
GETrequest in your terminal, replacing[Token]with your personal token to list all your configured account policies.
curl --request GET \ --url https://api.azion.com/v4/auth/policies \ --header 'Accept: application/json' \ --header 'Authorization: [Token]'- You’ll receive a response similar to the following:
{ "count": 123, "results": [ { "uuid": "095be615-a8ad-4c33-8e9c-c7612fbf6c9f", "name": "string", "active": true, "rules": [ { "name": "string", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "string" ] } } ] } ]}- Copy the
uuidof the policy you want to update. - Run the following
DELETErequest in your terminal, replacing[Token]with your personal token and<uuid>with the identifier you copied in the previous step, to delete the policy.
curl --request DELETE \ --url https://api.azion.com/v4/auth/policies/uuid \ --header 'Accept: application/json' \ --header 'Authorization: [Token]' \ --header 'Content-Type: application/json'- You’ll receive a response similar to the following:
{ "state": "exectuted", "data": { "uuid": "095be615-a8ad-4c33-8e9c-c7612fbf6c9f", "name": "string", "active": true, "rules": [ { "name": "string", "effect": "allow", "resource": "*", "action": "*", "condition": { "ip_address": [ "string" ] } } ] }}Done. Your policy was deleted from your account.
Contributors
