Configure Access Restrictions and Trusted Proxy IPs

To employ automation for managing the PCE environment, you can use API Keys created by an admin user and automate PCE management tasks. This section tells how you can restrict the use of API keys and the PCE web interface by IP address. In this way, you can block API requests and users coming in from non-allowed IP addresses.

Configure Access Restrictions

This section tells how to use the Illumio web console UI to configure access restrictions. You can also configure access restrictions programmatically using the REST API calls described in Access Restrictions and Trusted Proxy IPs in the REST API Developer Guide.

  • You must have the global Org Owner role to view or change access restrictions.
  • A maximum of 50 access restrictions can be defined.

To configure access restrictions:

  1. Log in to the PCE web console as a user with the Global Org Owner role.

  2. Open the menu and choose Access Management - Access Restrictions.

    The Access Restriction page opens with a list that shows which IP addresses are allowed and where the restrictions have been applied.

  3. To add a new restriction, click Add.

    The Add Access Restriction page opens.

    Provide the required attributes:

    • Provide a name.
    • In Restriction Applies To, choose User Session, API Key, or Both. Access restrictions can be applied to these different types of user authentication.
    • List a maximum of eight IPv4 adresses or CIDR blocks.
  4. Click Edit to edit the restriction.
  5. View the access restrictions applied to local users. The default is blank, no restrictions.
  6. You can assign access restrictions to local and external users or user groups. To add a local user:
    1. Click Add.
    2. In Access Restriction, choose the type of access restriction.
    3. Click Add.
  7. View the local user's detail page. To modify the user settings, click Edit User.

  8. Use the Edit User dialog to apply restrictions.

    If an Org Owner assigns an access restriction to any Org Owner, a warning is shown, because this can result in the Org Owner user losing access to the PCE.

  9. View the list of API keys in the API Keys page and the Event page.

Configure Trusted Proxy IPs

This section tells how to use the Illumio web console UI to configure trusted proxy IPs. You can also configure trusted proxy IPs programmatically using the REST API calls as described in Access Restrictions and Trusted Proxy IPs in the REST API Developer Guide.

When a client is connected to the PCE's haproxy server, this connection can traverse one or more load balancers or proxies. Therefore, the source IP address of a client connection to haproxy might not be the actual public IP address of the client.

  1. Log in to the PCE web console as a user with the Global Org Owner role.

  2. Open the menu and choose Settings - Trusted Proxy IPs.

  3. Click Edit.

  4. In IP Addresses, enter up to eight IPv4 addresses or CIDR blocks.

  5. Click Save.