IP Allow List and broken Integrations

The new IP Allow listing has broken our integrations. It’s clear that you cannot make this a requirement for API keys. It is impossible to keep track and approve all the IP addresses and requests that get generated from these software partners.

We need a way to disable Allow Listing for API Keys immediately! Without this critical change, we will have to disable the security feature or disable our integrations.

Also, it would help if we had a label field next to each IP we are whitelisting.

Good intentions but we need some changes quickly.

2 Likes

Agree 100%!! Labels would be great, CIDR notation even better. Also, vendors like IT Glue don’t seem to post their API IPs. Also, the Azure integration, no idea where to even find those since it’s part of Syncro.

It’s crazy that this is all or nothing…

Hey everyone. So first I wanted to point out that the new implementation does support CIDR notation so you can support large ranges of IPs if need be. That said, we hear you. I just spoke with the Product team and they are going to be adding a checkbox that will allow your API integrations to ignore the IP allow listing if you so choose to do so.

I don’t have an eta for you, but it should be relatively soon. I hope this helps.

1 Like

The design of this feature should have been where each user or API login has a separate ACL. This was poorly thought out in the design process.

We supported IP allow lists for a long time, with the exception of global admins which was a security hole. That hole has now been addressed. I disagree that this was poorly thought out.

The reason that we included API calls behind the allowlist is because API calls only require the token to authenticate with MFA and can open a large security hole with the access they possess. Many integrations ask for large amounts of permissions so you are required to give access to everything. If one of your integrations was to be breached and the API token stolen, someone could act as that integration to do nefarious things to your environment. We attempted to make this easy by allowing CIDR notation and approval via email but we understand that some of you would prefer to keep API access to your environment open to any IPs. As Andy said we will be making this an optional choice for people to enable or disable going forward, however we do suggest that you attempt to lock down access to your account as much as possible to limit your attack surface.

+1 for labels next to the IPs.
Also, can we please look at ways to limit the amount of emails admins receive for failed log-in attempts or filter them to a specific mailbox? Currently all admins receive the emails every time something as simple as the VPN cuts out for a user briefly or they forget to check if they are connected to the VPN before logging in which is inundating our inboxes daily and already causing fatigue for real alerts.

I appreciate that you are looking into it so quickly but this has been highly disruptive. I called several of our integration vendors and they don’t even know what IP addresses are used for the API Calls.

Also, our office 365 calendars are broken. The Integration does not have a traditional API key so thats something to think about. This change is so disruptive, that I will have to make the decision to remove the security feature all-together if we dont have a quick solution.

Can you provide a timeline for addressing the issues?

We have released the update for API Requests to be excluded from the allowlist if you would like. To disable you can go to https://admin.syncromsp.com/settings/ip_allowlist and toggle Users / API Requests individually depending on what you would like to enable / disable.
image

1 Like