Skip to content

Reducing the visibility of the deployment

Configuring the allow / deny list is a convenient way of reducing the visibility of your deployment over internet.

Allow lists

Allowlists
Allowlists

The allow / deny lists are split into two zones:

  • the first is the list for OpenID APIs (login, signup, tokens oAuth endpoints) which are the endpoints used by the end-users to get tokens
  • the second is the list for REST Admin API and Keycloak Admin Console urls. Those urls are meant to be used either by the Keycloak administrator, or by software that can provision / configure the realms for instance.

The list are composed of successive IPs or CIDRs that are evaluated in sequence (top to bottom). If the ip or the requester matches an entry, then the decision is applied and the evaluation stops.

If none matches, then the request is allowed.

INFO

Various IPs related to Cloud-IAM infrastructure, monitoring, ... are automatically granted and cannot be forbidden

Rate-limiting

For security and reliability reasons, the servers are protected with rate-limiting. The default value is 50 req/s for the OpenID APIs and 30 req/s for the Admin APIs.

Those values can be adjusted by the Cloud-IAM support team if needed.

INFO

IPs that have explicitly been granted (excepted 0.0.0.0/0) in the corresponding allow lists are excluded from rate limiting.

Request handling summary

When a request reaches the deployment, there then multiple scenario based on the security configuration:

  • the requester ip has been explicitly denied, then the request is rejected with 403 response code
  • the requester ip has been explicitly allowed, then the request is handled, regardless of the rate limiting
  • a rate limiting based on the requester ip is calculated. If the rate limiting of the ip is below the threshold, the request is handled, otherwise it will be rejected with a 429 response code.