Offboarder

Authorized API Sources

Per-scope IP allowlists for non-portal API consumers

Authorized API Sources

Default-deny network gate for non-portal API consumers. Each scope has its own CIDR allowlist. Portal users authenticated via Entra are not gated by this list — they can reach portal endpoints from any IP. Agents are gated by mTLS (cert), not IP. The lists below apply to: HCM webhooks, manager email links, monitoring tools, and per-tenant CSV ingest sources. Any IP not on the relevant scope's list is blocked when STRICT_AUTH_ENABLED=true.

Network Layer (WAF) — primary ingest IP gate

Live state from the Front Door WAF policy. Matches on the real TCP source IP at the FD edge (NOT spoofable via X-Forwarded-For). Source of truth is Terraform; CIDR changes land via a PR opened from the “Request edit” button (coming in the follow-up UI PR).

Loading...

Application Layer — defense-in-depth (config/access/api-sources.json)

App-layer scope allowlists checked inside the Function App via _AUTH_INGEST / _AUTH_CONTRACTOR_INGEST / etc. Reads X-Forwarded-For — superseded as primary gate by the WAF panel above; kept for defense-in-depth.

Loading...