Compliance & Access Control

FlowGenX provides advanced compliance and access control features to help organizations meet regulatory requirements and enforce security policies through IP restrictions, time-based access controls, and automated compliance reporting.

Overview

The compliance system includes:

1. IP-Based Access Control: Restrict API access by IP address or CIDR ranges
2. Time-Based Access Control: Limit access to specific days and hours
3. Compliance Reporting: SOC2, ISO27001, GDPR, HIPAA, PCI-DSS reports
4. Security Audit Reports: Vulnerability scanning and recommendations

IP-Based Access Control

Control which IP addresses or networks can access your APIs at the group level.

Features

Capabilities:

• IPv4 and IPv6 Support: Full support for both protocols
• CIDR Ranges: Allow entire subnets (e.g., 192.168.1.0/24)
• Individual IPs: Specify single addresses (e.g., 203.0.113.42)
• Allow Lists: Only specified IPs can access (whitelist)
• Deny Lists: Block specific IPs from accessing (blacklist)
• Combined Rules: Use both allow and deny lists (deny takes precedence)
• Real-time Validation: Validate IP/CIDR format as you type

Configuring IP Restrictions

Step 1: Navigate to IP Restrictions

1. Go to ACL Management → Security → IP Rules
2. View all groups and their IP restriction status
3. Select a group to configure

Step 2: Enable IP Restrictions

1. Click Configure or Edit for the group
2. Toggle Enable IP Restrictions on
3. The restriction panel will expand

Step 3: Add IP Addresses

1. Enter IP address or CIDR range
2. Select type (Allow or Deny)
3. Click the + button to add
4. IP is validated automatically:
   • ✓ Valid CIDR notation with IP count
   • ✗ Invalid format with error message

Step 4: Manage IP Lists

Allowed IPs (Whitelist):

• Displays all allowed IP addresses/ranges
• Shows count of IPs in each range
• Remove individual entries with X button
• Only these IPs can access APIs

Denied IPs (Blacklist):

• Displays all blocked IP addresses/ranges
• Shows count of IPs in each range
• Remove individual entries with X button
• These IPs are explicitly blocked

Step 5: Save Configuration

1. Review allowed and denied IP lists
2. Click Save Restrictions
3. Changes apply immediately to all consumers in the group

IP Restriction Rules

How IP Restrictions Work:

1. Deny List Check: If IP is in deny list → Access denied
2. Allow List Check: If IP is in allow list → Access granted
3. No Allow List: If no allow list configured → Access granted (open access)
4. Allow List Exists: If allow list exists but IP not in it → Access denied

Supported Formats:

Common Use Cases

Corporate Network Access:

Allow: 203.0.113.0/24 (company office network)
Deny: (none)
Result: Only office network can access

Block Malicious IPs:

Allow: (none - open access)
Deny: 198.51.100.42, 198.51.100.43
Result: All IPs except blocked ones can access

Partner Integration:

Allow: 198.51.100.0/28 (partner network)
Allow: 203.0.113.50 (partner VPN)
Deny: (none)
Result: Only partner networks can access

Best Practices

✓ Use CIDR notation for network ranges instead of individual IPs ✓ Document IP purposes in group descriptions ✓ Regularly review and remove outdated IP restrictions ✓ Test IP restrictions in dev/staging before production ✓ Use allow lists for sensitive APIs (default deny) ✓ Monitor denied requests from IP restrictions ✓ Keep partner IP allowlists up to date

Time-Based Access Control

Restrict API access to specific days of the week and hours of the day.

Features

Capabilities:

• Day Selection: Choose specific days of the week
• Time Windows: Set start and end times (24-hour format)
• Timezone Support: Configure timezone-aware schedules
• Group-Level Control: Apply to all consumers in a group
• Real-time Enforcement: Access denied outside configured windows

Configuring Time Restrictions

Step 1: Navigate to Time Restrictions

1. Go to ACL Management → Security → Time Rules
2. View all groups and their time restriction status
3. Select a group to configure

Step 2: Enable Time Restrictions

1. Click Configure or Edit for the group
2. Toggle Enable Time Restrictions on
3. The restriction panel will expand

Step 3: Select Days of Week

• Click day buttons to select/deselect
• Selected days are highlighted in cyan
• Common presets:
  • Weekdays: Mon-Fri
  • Weekend: Sat-Sun
  • Every Day: All seven days

Step 4: Set Time Window

Available Timezones:

• America/New_York (EST/EDT)
• America/Chicago (CST/CDT)
• America/Denver (MST/MDT)
• America/Los_Angeles (PST/PDT)
• America/Phoenix (MST - no DST)
• Europe/London (GMT/BST)
• Europe/Paris (CET/CEST)
• Asia/Tokyo (JST)
• Asia/Shanghai (CST)
• Australia/Sydney (AEDT/AEST)
• UTC (Coordinated Universal Time)

Step 5: Review Schedule

The Schedule Preview shows:

Access allowed: Mon, Tue, Wed, Thu, Fri • 09:00 - 17:00 (America/New_York)

Step 6: Save Configuration

1. Review the schedule preview
2. Click Save Restrictions
3. Changes apply immediately

Time Restriction Rules

How Time Restrictions Work:

1. Request arrives at gateway
2. Current time converted to group's configured timezone
3. Day of week checked against allowed days
4. Time checked against start/end window
5. If both match → Access granted
6. If either doesn't match → Access denied

Edge Cases:

• Midnight Crossing: End time before start time creates overnight window
  • Example: 22:00 - 06:00 = 10pm to 6am next day
• No Days Selected: All requests denied
• Same Start/End Time: Creates 24-hour window (all day)

Common Use Cases

Business Hours Only:

Days: Mon, Tue, Wed, Thu, Fri
Time: 09:00 - 17:00
Timezone: America/New_York
Result: Access only during weekday business hours

Maintenance Window Block:

Days: Sun
Time: 02:00 - 06:00
Timezone: UTC
Result: Block access during Sunday maintenance window

24/7 Weekday Access:

Days: Mon, Tue, Wed, Thu, Fri
Time: 00:00 - 23:59
Timezone: UTC
Result: Any time on weekdays, blocked on weekends

After-Hours Only:

Days: Mon, Tue, Wed, Thu, Fri
Time: 18:00 - 08:00
Timezone: America/Los_Angeles
Result: Access only outside business hours (overnight)

Best Practices

✓ Align timezone with your business location ✓ Account for daylight saving time in timezone selection ✓ Test time restrictions before production deployment ✓ Document business reasons in group description ✓ Use UTC for globally distributed teams ✓ Monitor denied requests for time violations ✓ Consider maintenance windows when setting schedules

Compliance Reporting

Generate comprehensive compliance reports for regulatory standards.

Supported Standards

Generating Compliance Reports

1. Navigate to ACL Management → Operations → Reports
2. Select Compliance Report tab
3. Choose compliance standard from dropdown
4. Click Generate Report
5. Review report sections:

Report Components:

Compliance Report Contents

Access Control Evaluation:

• Authentication mechanisms (API Keys, OAuth)
• Authorization controls (ACL groups, permissions)
• Credential management practices
• Multi-factor authentication status

Data Protection:

• Encryption in transit (HTTPS enforcement)
• Encryption at rest (data storage)
• Data retention policies
• Privacy controls

Audit & Monitoring:

• Access logging coverage
• Log retention periods
• Security event monitoring
• Incident response procedures

Network Security:

• IP restriction coverage
• Firewall rules
• DDoS protection
• Network segmentation

Identity Management:

• User provisioning/deprovisioning
• Role-based access control (RBAC)
• Principle of least privilege
• Access review processes

Security Audit Reports

Identify vulnerabilities and get remediation recommendations.

Generate Security Audit:

1. Go to Reports → Security Audit Report
2. Click Generate Report
3. Review findings:

Report Sections:

Common Findings:

• Expired API keys not rotated
• Consumers without group assignments
• Overly permissive group permissions
• Missing IP restrictions on sensitive routes
• No time restrictions for external access
• Weak credential management
• Insufficient audit logging
• Missing encryption enforcement

Access Pattern Analysis

Reports include access pattern analysis:

Pattern Detection:

• Normal Patterns: Expected access behavior
• Anomalous Patterns: Unusual activity requiring review
• Risk Levels: Low, medium, high risk classification
• Frequency Analysis: Request patterns over time
• Source Analysis: Geographic and network source patterns

Risk Indicators:

Exporting Reports

Export Options:

1. JSON Format: Programmatic access for integrations
2. PDF Format: Human-readable for audit purposes
3. CSV Format: Data analysis in spreadsheets

Export Process:

1. Generate desired report
2. Click Export button
3. Select format (JSON/PDF/CSV)
4. Download file
5. Store securely for compliance records

Compliance Best Practices

✓ Generate compliance reports monthly ✓ Address non-compliant controls within SLA ✓ Document remediation actions ✓ Review security audit findings weekly ✓ Export and archive reports for auditors ✓ Track compliance score trends over time ✓ Assign owners to remediation tasks ✓ Implement continuous monitoring

Combined Security Controls

Combine IP restrictions, time restrictions, and compliance monitoring for defense-in-depth.

Example: PCI-DSS Compliant API

Requirements:

• Access only from verified networks
• Access only during business hours
• Full audit logging
• Quarterly compliance reports

Configuration:

Step 1: Create Compliant Group

Group: pci-payment-processors
Description: PCI-DSS compliant access for payment processing

Step 2: Configure IP Restrictions

Allow IPs:
  - 203.0.113.0/24 (payment processor network)
  - 198.51.100.50/32 (backup processor)
Deny IPs: (none)

Step 3: Configure Time Restrictions

Days: Mon-Fri
Time: 06:00 - 22:00
Timezone: America/New_York

Step 4: Enable Audit Logging

• All requests logged
• Denied requests tracked
• Export logs monthly

Step 5: Generate Compliance Reports

• Monthly PCI-DSS compliance report
• Review and remediate findings
• Export for compliance records

Monitoring & Enforcement

Real-Time Enforcement

All restrictions are enforced in real-time:

1. Request arrives at Kong API Gateway
2. Consumer identity verified (API key/OAuth token)
3. Consumer's group restrictions retrieved
4. IP address checked against allow/deny lists
5. Current time checked against time windows
6. If all pass → Request forwarded to backend
7. If any fail → 403 Forbidden response
8. All decisions logged for audit

Denied Request Tracking

Monitor restriction violations:

• Access Logs: Filter by "Access Granted = false"
• Denial Reasons: "IP Restriction" or "Time Restriction"
• Consumer Analysis: Which consumers are being blocked
• Pattern Detection: Unusual access attempts

Alerts & Notifications

Set up alerts for:

• Spike in IP restriction violations (potential attack)
• Time restriction violations outside windows
• Compliance score drops below threshold
• Critical security findings in audit reports
• New vulnerabilities discovered

Troubleshooting

IP Restriction Issues

Problem: Legitimate requests being blocked

Solutions:

1. Verify client IP address (check access logs)
2. Confirm IP in allow list with correct CIDR
3. Check for deny list entries blocking the IP
4. Test IP format validation (IPv4 vs IPv6)
5. Verify no typos in IP addresses

Problem: IP restrictions not working

Solutions:

1. Confirm restrictions are enabled for the group
2. Verify consumer is assigned to the group
3. Check Kong gateway sync status
4. Review restriction configuration
5. Test with known allowed/denied IPs

Time Restriction Issues

Problem: Access denied during allowed hours

Solutions:

1. Verify timezone configuration matches client location
2. Check server time is correct
3. Confirm day of week selection includes today
4. Review start/end time for midnight crossings
5. Test in different timezone if globally distributed

Problem: Access allowed outside configured window

Solutions:

1. Confirm time restrictions are enabled
2. Verify no multiple groups with conflicting rules
3. Check for midnight crossing creating unintended window
4. Review timezone and DST settings
5. Test restriction immediately after saving

Compliance Report Issues

Problem: Low compliance score

Solutions:

1. Review non-compliant controls in report
2. Follow remediation recommendations
3. Implement missing security controls
4. Update configurations to meet requirements
5. Re-generate report to verify improvements

Problem: Cannot generate report

Solutions:

1. Check backend service health
2. Verify sufficient data for analysis
3. Try different compliance standard
4. Review error messages
5. Contact support with error details