Layer7 API Management

Dear All,

Anyone knowns whether Layer7 gateway has any inbuilt assertion or custom way of doing domain whitelisting. As IP trust is not a morden or cloud native way of security when mostly controlled on namespace.

Any lead is highly appriciated. Thank you.

------------------------------
[Application Architect]
[Cargill Incorporated]
[Singapore]
------------------------------

Are you asking about CORS?  If so, this assertion does allow you to specify origin domains:  https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/policy-assertions/assertion-palette/access-control-assertions/process-cors-request-assertion.html

If you want to restrict other requests by the source domain, I am sure it could be done in policy by either requiring that the client to supply their source domain in a header, maintaining a mapping of IP ranges to domains locally on the gateway, or making an API call to a whois api source like https://ipwhois.io/ for a small fee.   Of course whois is not always accurate, especially if the traffic is coming from a shared datacenter or cloud provider, so it may be more trouble than its worth.

I hope this helps?

Original Message:
Sent: Mar 06, 2025 10:40 AM
From: Sanjay Dalvi
Subject: Domain wide whitelisting

Dear All,

Anyone knowns whether Layer7 gateway has any inbuilt assertion or custom way of doing domain whitelisting. As IP trust is not a morden or cloud native way of security when mostly controlled on namespace.

Any lead is highly appriciated. Thank you.

------------------------------
[Application Architect]
[Cargill Incorporated]
[Singapore]
------------------------------

Yes, Layer7 does support domain-based filtering - though it's a bit indirect.

You can enable reverse DNS lookups on the Listen Port by adding this in the Advanced tab:

• Property Name: enableLookups

• Value: true

Once that's set, you can use ${request.tcp.remoteHost} to get the hostname (instead of just the IP from ${request.tcp.remoteIP}). You can then do a domain match using a "Compare Expression" or custom logic.

That said - reverse DNS lookups can be slow or unreliable, especially in cloud-native environments. A cleaner and more predictable approach is to have clients pass their namespace, domain, or tenant ID in a custom HTTP header and validate that in the policy. Much simpler and aligns better with zero-trust/API gateway best practices.

Also, if your use case involves browsers or cross-origin traffic - Layer7 has native support for CORS via the Process CORS Request Assertion.

Docs:

• Transport Context Vars: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/reference/context-variables/transport-layer-context-variables.html

• CORS Assertion: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/policy-assertions/assertion-palette/access-control-assertions/process-cors-request-assertion.html

Hope that helps!

Original Message:
Sent: Mar 06, 2025 10:40 AM
From: Sanjay Dalvi
Subject: Domain wide whitelisting

Dear All,

Anyone knowns whether Layer7 gateway has any inbuilt assertion or custom way of doing domain whitelisting. As IP trust is not a morden or cloud native way of security when mostly controlled on namespace.

Any lead is highly appriciated. Thank you.

------------------------------
[Application Architect]
[Cargill Incorporated]
[Singapore]
------------------------------