Loading

How to Apply an IP Allowlist Policy for API Applications Both With and Without DLB in Mule

Publiceringsdatum: Aug 25, 2025
Uppgift

Apply an IP allowlist policy for API applications both with and without DLB in front of it. 

Steg

Create an "IP allowlist" policy for the API proxy. In the "IP expression" field use a null check like the examples below to determine if the header or remote address attribute should be checked.

Mule 3

#[(message.inboundProperties['x-real-ip'] != null)? (message.inboundProperties['x-real-ip']) : 
(message.inboundProperties.'http.remote.address'.substring(1,message.inboundProperties.'http.remote.address'.lastIndexOf(':'))) ]

Mule 4

#[(attributes.headers['x-real-ip'] != null)? (attributes.headers['x-real-ip']) : ([attributes.remoteAddress]) ]

Note that we are using 'x-real-ip' in the examples above instead of 'x-forwarded-for'. In CloudHub 1.0 applications, there may be cases where X-Forwarded-For contains multiple IP addresses, the allowlist policy only checks the first IP ("client" in the example above). The alternative is to check against X-Real-IP HTTP Header. X-Real-IP returns the last proxy or last public IP in the network path. In CloudHub 2.0 applications, you may still use 'x-forwarded-for' as it will be the same value as 'x-real-ip'. 

Then add the IP or IP ranges in the Allowlist field. Click apply to complete. 

1. How does the mule application work?
    It's a simple expression like #[ check condition? apply if the condition is true: apply if the condition is false]. As DLB adds the 'x-real-ip' header with the source IP, it only exists in upstreaming request forwarded by the DLB. If this header is not in the request, it will get the source IP address from the "http.remote.address" header. 

2. How do I know if the IP is blocked by the allowlisted IP?
    The response status code is "403" and this message in the response
    { "error": "invalid_ip", "description": "The IP Address is invalid." }

3. What does the error message below indicate?
    { "error": "invalid_ip", "description": "Unable to identify the Client's IP Address." }
    The policy couldn't get the source IP from the request. Please check your IP expression of the allowlist policy. 
 

Knowledge-artikelnummer

001114641

 
Laddar
Salesforce Help | Article