This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
In addition to using Security Actions in the Apigee UI, you can also access all of the Security Actions features through the Apigee API.
Limitations on security actions
Security actions are enforced at the Apigee environment level. For each environment, security actions have the following limitations:
- At most 1000 enabled actions are allowed for an environment at any time.
- You can add at most 5 flag headers for each action.
Latencies
Security actions have the following latencies:
- When you create a security action, it can take up to 10 minutes for the action to take effect. Once an action has taken effect and has been applied to some API traffic, you will be able to view the action's effects in the Security action details page. Note: Even if the action has taken effect, you won't be able to determine that from the Security action details page unless the action has been applied to some API traffic.
- Enabled security actions incur a small increase (less than 2 percent) in API proxy response time.
Create security actions
The following examples show how to create security actions using API calls. In all of the examples:
ORGis the organization.ENVis the environment for the security action.ACTION_NAMEis the name of the security action.
Create a deny action
To create a deny action, enter a command similar to the following:
curl -XPOST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME \
-H "Content-Type: application/json" \
-d '{"state": "ENABLED", "deny": {"response_code": 404}, "condition_config": {"ip_address_ranges": ["100.0.225.0"]}}'
This creates a security action that denies access to requests to the IP addresses listed after
ip_address_ranges
and returns a response code 404.
Create a flag action
To create a flag action, enter a command similar to the following:
curl -XPOST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME" \
-H "Content-Type: application/json" \
-d '{"state": "ENABLED", "flag": {"headers": [{"name": "senseflag", "value": "flagvalue"}]}, "condition_config": {"ip_address_ranges": ["100.0.230.0"]}}'
This creates a security action that flags requests from the IP addresses listed after
ip_address_ranges and adds a header senseflag with value flagvalue.
Create an allow action
To create an allow action, enter a command similar to the following:
curl -XPOST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions?security_action_id=ACTION_NAME \
-H "Content-Type: application/json" \
-d '{"state": "ENABLED", "allow": {}, "condition_config": {"ip_address_ranges": ["100.0.220.0", "200.0.0.0"]}}'
This creates a security action that allows requests from the IP addresses listed after
ip_address_ranges.
Enable or disable a security action
The following examples show API calls to enable or disable security actions.
Enable a security action
To enable a security action, enter a command similar to the following:
curl -XPOST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME:enable"
This returns a response like the following:
{
"name": "ACTION_ALLOW",
"state": "ENABLED",
"createTime": "2022-12-29T18:27:31Z",
"updateTime": "2023-01-03T23:19:26.650965481Z",
"conditionConfig": {
"ipAddressRanges": [
"100.0.220.0",
"200.0.0.0"
]
},
"allow": {},
"expireTime": "2028-01-01T00:00:00Z"
}
Disable a security action
To disable a security action, enter a command similar to the following:
curl -XPOST "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME:disable"
This returns a response like the following:
{
"name": "actionallow",
"state": "DISABLED",
"createTime": "2022-12-29T18:27:31Z",
"updateTime": "2023-01-03T23:13:04.874540001Z",
"conditionConfig": {
"ipAddressRanges": [
"100.0.220.0",
"200.0.0.0"
]
},
"allow": {},
"expireTime": "2028-01-01T00:00:00Z"
}
Get or list security actions
The following examples show how to get or list security actions
Get a security action
To get a security action, enter a command similar to the following:
curl -XGET "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions/ACTION_NAME"
This returns a response like the following:
{
"name": "ACTION_NAME",
"state": "DISABLED",
"createTime": "2022-12-29T18:27:31Z",
"updateTime": "2023-01-03T23:13:04Z",
"conditionConfig": {
"ipAddressRanges": [
"100.0.220.0",
"200.0.0.0"
]
},
"allow": {},
"expireTime": "2028-01-01T00:00:00Z"
}
List security actions
To list all security actions, enter a command similar to the following:
curl -XGET "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActions"
Pause or resume security actions
The following examples show how to pause or resume security actions
Pause all security actions
To Pause all security actions, enter a command similar to the following:
curl -XPATCH "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActionsConfig" \
-H "Content-Type: application/json" \
-d '{"enabled": "false", "name": "organizations/ORG/environments/ENV/securityActionsConfig"}'
This returns a response like the following:
{
"name": "organizations//environments/ENV/securityActionsConfig",
"enabled": false,
"updateTime": "2023-01-23T21:44:58.063807Z"
}
}
Resume paused security actions
To resume paused security actions, enter a command similar to the following:
curl -XPATCH "https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/securityActionsConfig" \
-H "Content-Type: application/json" \
-d '{"enabled": "true", "name": "organizations/ORG/environments/ENV/securityActionsConfig"}'
This returns a response like the following:
{
"name": "organizations/ORG/environments/ENV/securityActionsConfig",
"enabled": true,
"updateTime": "2023-01-23T21:44:58.063807Z"
}
}