Async Client IP safelist for Dot NET
I have a .Net Web API project and I wanted to implement a mechanism via code to make sure that only certain IP addresses are allowed to call that API. We could do this by configuring the networking rules, Virtual Network, NSG implementations or even Azure App Access Restrictions if we host the Web API in an Azure App Service. However, the reason why I wanted to implement this via code is that the IP addresses list gets updated frequently and I wanted to make sure that there is very less maintenance on the service. Here, in this post we will see, how we can get the Safe List IP addresses asynchronously and add that to configure our ActionFilterAttribute and apply the same to the Web API to make sure that the unidentified requests gets 403 Forbidden.
Create an IP Action Filter
Before you do this, I assume that you already have the .Net Web API. For this post I am using .Net 7. Create a Services folder and then create a class IpActionFilter that is inherited from ActionFilterAttribute.
The implementation is a clone of this doc. As you can see from that doc, there it the safe IP addresses list are static and is added to the App Settings manually. However in my scenario, I had to get this from an Async service call.
Get the IP addresses from an Asyn service call
We will create a new Service IpFilterService that implements IIpFilterService. Here we will mimic the async call to make this post more concrete.
Async call to set the configuration
If you just have a few IP addresses that can easily set in the App Settings. You can just add them manually as in this post. As I wanted to update this list via an async service call, there are a few additional changes we must do. One of them is creating a Hosted Service that implements IHostedService and add that to the builder using builder.Services.AddHostedService. Let’s create IpHostedService.
As you can see from the code above, we are setting the AdminSafeIpList configuration to our App Settings via the code. Now all we need to add is to add this to the builder.
Configure the builder
To make sure that the AdminSafeIpList is updated to the App Settings, we will need to add our IpHostedService as a HostedService. You can learn more about this service here. The code for Program.cs after this changes is below.
So we are passing the AdminSafeIpList to the IpActionFilter.
Enable IpActionFilter as a ServiceFilter
As we have implemented the action filter and other required services, we now can add the IpActionFilter as a ServiceFilter in the controller or the actions. Add the code [ServiceFilter(typeof(IpActionFilter))] to top of controller or actions.
Finally, Add some unit tests
Let’s try to add some unit tests for our IpActionFilter.
Output
Let’s build and run our API. You should see the preceeding response.
With External IPs:
With Internal IPs:
Source Code
You can also see the codes in this repository.
Conclusion
Here in this post we have seen,
1. How we can restrict the accesse to our Web APIs by providing the Safe IP addresses list
2. How to create a new Action Filter and use that for Controllers
3. One of the challenge was to get the IP Address safe list from an Async service call and update the App Settings.
About the Author
I am yet another developer who is passionate about writing and video creation. I have written more than 500 blogs on my blog. If you like this content, consider following me here,
Your turn. What do you think?
Thanks a lot for reading. Did I miss anything that you may think is needed in this article? Could you find this post useful? Kindly do not forget to share your feedback.