Hi Alejandro,
You will have to identify what is the difference between internal and external traffic.
For example: All ip's that start with 10.20.51.x belong to internal and therefore allow access to API's. Any other hosts with other ip's, requesting for access, are not allowed.
This can be achieved by the variable ${request.tcp.remoteip}. This variable returns the ip address of the requester. You can build your logic accordingly.
Hope this helps.
Regards
Seenu Mathew