Allow connection to Scripted REST API from specific IP Addresses

Imi NOW
Tera Contributor

‎07-26-2023 05:37 AM

Hi all,

is there a way to allow inbound connections to Scripted REST API from specific IP Addresses but not instance wide, just for scoped specific APIs?

Our current scenario has couple APIs and we need to secure them in a way to be able to allow connections from range of IP Addresses.

IP Address Access Control does not work for this case and Adaptive Authentication does not fit for this purpose, since it sets for all APIs.

 

Thank you!

 

0 Helpfuls
  • 2,063 Views
7 REPLIES 7

Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎07-26-2023 08:38 PM

You can use the REST API access policy feature. Here is the documentation.

You can associate an authentication  profile with your API. In the authentication profile, you can define the allowed authentication method. You can also specify an adaptive authentication policy, in which you can add IP range-based conditions.

 

rest-api-access-policy1.png

 
0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron

‎07-26-2023 09:06 PM

@Imi NOW 

this link has detailed explanation and has multiple ways to do that

How to restrict inbound REST web service calls 

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to Ankur Bawiskar

‎07-26-2023 09:45 PM

Thanks for adding the KB @Ankur Bawiskar.

This KB needs an update. Options 2 and 3 are not really an option in this scenario.

1. Rate limiting rules are to limit the number of inbound REST API requests processed per hour. These work at user and role levels. These rules do not deny requests based on IP.
2. IP address access control applies to every inbound transaction, including web sessions, processors, SOAP, and REST APIs. It does not provide a per API IP restriction policy.


This leads us to option 1, the API access policy feature.

Just so you know, the API access policy is also available for SOAP APIs and processors from the Utah release onwards. We also have a global API access policy option. This can be used to enforce default deny scenarios for all APIs. After implementing global policy admin can selectively allow the required API via an overriding API access policy at the individual API level.

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Randheer Singh

‎07-26-2023 09:53 PM

@Randheer Singh 

I am not able to view that left nav module in Utah instance.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls