Restricting and Allowing IP Addresses in Elasticsearch with INFINI Gateway

1. What Is IP Access Control?

IP access control is a security mechanism that decides whether a client can reach a service based on its IP address. In INFINI Gateway it is enabled via the ip_access_control configuration, which supports two modes:

Whitelist : only the listed IPs are allowed.

Blacklist : the listed IPs are denied.

Both modes can be used alone or together to ensure that only trusted IPs can access the service.

2. Enabling IP Access Control

To enable the feature, add an ip_access_control node to the router configuration and set enabled: true:

router:
  - name: my_router
    default_flow: async_bulk
    ip_access_control:
      enabled: true

The enabled: true flag turns on IP filtering; further rules can then be added.

3. Configuring a Whitelist (Allow List)

To allow only specific IPs, define the client_ip.permitted list. For example, to permit only 133.37.55.22:

router:
  - name: my_router
    default_flow: async_bulk
    ip_access_control:
      enabled: true
      client_ip:
        permitted:
          - 133.37.55.22

Only requests from 133.37.55.22 will be accepted; all others are rejected.

4. Configuring a Blacklist (Deny List)

To block specific IPs, use the client_ip.denied list. For example, to deny 133.37.55.22:

router:
  - name: my_router
    default_flow: async_bulk
    ip_access_control:
      enabled: true
      client_ip:
        denied:
          - 133.37.55.22

Requests from the denied IP are rejected, while all other IPs are allowed.

5. Using Both Whitelist and Blacklist Together

You can combine the two lists. For instance, allow 133.37.55.22 but deny 192.168.1.1:

router:
  - name: my_router
    default_flow: async_bulk
    ip_access_control:
      enabled: true
      client_ip:
        permitted:
          - 133.37.55.22
        denied:
          - 192.168.1.1

In this configuration, the first IP is permitted, the second is blocked.

6. Typical Scenarios for IP Access Control

Protecting sensitive services : Use a whitelist to ensure only authorized clients can reach critical endpoints.

Blocking malicious traffic : Use a blacklist to reject known bad IPs and mitigate attacks.

Flexible access management : Dynamically adjust permitted or denied IPs to match changing business needs.

7. Summary

IP access control in INFINI Gateway provides a practical way to secure Elasticsearch services. By adding simple YAML snippets, you can define whitelist and blacklist rules, or combine them, to control which IPs may access your gateway and which are blocked, thereby improving overall system security.