Mashery Whitelisting FAQs

Frequently Asked Questions

Q: What is IP whitelisting?
A: The practice of IP whitelisting either at the firewall or application level is a security praice designed to limit access to your origin server by IP address. Mashery Utilizes a finite set of IP addresses with which to connect to your servers and deliver requests from your consumers.

Q: Why are there so many IP addresses?
A: There are two lists within the IP whitelist.  The first set is for the Traffic Manager, which is the system that handles your API traffic. These IP addresses consitute all the IP's from which we might connect across our global network. We require all of them be whitelisted so that we can manage availability via failover as needed.  The second set is that of the Monitoring system that we use to make calls both through the Traffic manager to your origin, as well as Direct to your origin.

Q: What types of IP whitelisting does Mashery Support?
A: Mashery supports what we call 'Outbound' whitelisting.  In managing your traffic, we are sitting between your Consumers and your Origin servers.  As such, 'Outbound' would be the hop between Mashery and your origin service, and 'Inbound' would be the hop between the consumer and Mashery.  Mashery does not support Inbound IP whitelisting, except for in the case of some legacy integrations.  The IP addresses in this whitelist do not refer to the Public IP addresses that your consumers may reach when connecting through Mashery, but rather the hosts from which we will call your back end such that you can manage your origin server access rules. 

Q: How do I know if I'm whitelisting?
A: Please contact with your internal Network or Security teams to determine if you are utilizing IP whitelisting.

Q: What if I do not use IP whitelisting?
A: If you do not employ IP whitelisting there is no action required on your part.

Q: What will happen if I don't update my whitelist in time, and what type of behavior will I see?
A: Once the new IP addresses are available to us, we will begin adding them to our active systems.  If your systems are not updated in time this will cause an inability for Mashery to connect to your origin servers which could cause anything from a minor impact to a major impact. Issues deriving from whitelisting problems will manifest as 504 Gateway timeout errors that your consumers may report, as well as you will see them in your Mashery powered reporting tool. Additionally, should monitoring IP addresses not be whitelisted we will be unable to monitor your APIs via our monitoring tool.

Q: Why is Mashery adding IP addresses?
A: We add additional IP addresses for a number of reasons 1) As our customer and traffic base continues to grow, we must as additional IP addresses with which to manage capacity 2) We continue to grow globally, so additional IP addresses may be tied up to the creation of additional geographic locations 3) our API monitoring IP addresses will change over time.  We make every effort to keep this list as static as possible, however there are periodic needs to expand the list. We know it can be a burden to updates firewall rules requires planning and release process on your part, as such, our policy is to provide a minimum of 30 calendar days notice prior to deploying the new IP addresses.

Q: Can I remove any IP's from my current list of allowed IPs?
A: Please consider this list of IP addresses as supplementary to what you may have already whitelisted. Please leave your current IP addresses in place and add the provided list of IP addresses, deduplicating as you add them. We expect in the future to remove some legacy IP addresses from this list. There are only a few exceptions to this rule, and the IPs that can be removed are located at the bottom of the IP whitelist and noted appropriately.

Q: What is the difference between a minor version change and a major version change of Mashery's whitelist?
A: Minor versions (eg the move from 5.2 to 5.3) will reflect a change in only the monitoring IP addresses.  Major versions changes (eg to move from 5.2 to 6.0) is reserved for changes to the Traffic Manager IP addresses, though it may also contain Monitoring IP addresses as well.

Q: I don't use the cloud Traffic Manager, I only use Mashery Local or another on premise solution, do I still need to perform these updates?
A: If you do not expect to handle traffic via the Cloud Traffic Manager, you need not worry about our whitelist updates, however if you plan to failover traffic from On Premise, to the Cloud, you will need to fully whitelist at minimum the TRaffic Manager IPs.  If you are Mashery local, we do not monitor your APIs as a part of our service and therefore do not need to whitelist Monitoring IPs.

Q: What can't Mashery provide a better diff of old and new whitelist information
A: 'Diffing' assumes that we know your current IP whitelist, which we do not. Some customers have not whitelisted all IP addresses previously and we have no way of knowing this.  We are attempting to press the reset button here and get all customers to monitor all IP's for the traffic manager in order to level set.

Docs Navigation