Hi all,
I would like to limit the API access to my Meraki enviroment. What public IP addresses does LM use to do the API calls to my Meraki enviroment?
That would be your collector egress addresses. Generally the only LM-originated access would be from the website check source addresses (documented in the support site).
ProfessorThat would be your collector egress addresses. Generally the only LM-originated access would be from the website check source addresses (documented in the support site).
LegendRun this code on your collector debug console by issuing !groovy and pasting in the code. You don’t need to select a device:
ip = new URL("https://api.ipify.org").getText()
if (ip) {
println("public.ipaddress=${ip}")
return 0
} else {
return 1
}For those paying attention, this is the basis for a really easy configsource that you can apply to all your collectors so you can see whenever it changes.
ProfessorThat will work for lots of folks, but there are also more complex systems out there handling Internet these days where your IP may be less predictable. For example, I have clients on Cato Networks cloud-based SD-WAN where egress can be anywhere in their POP network depending on the target. For those sorts of transport solutions, you can use rules to pin access to specific IP addresses, but by default you would have a hard time defining an allowlist on remote resources. Even for a more common setup where you have dual ISPs in active/backup mode you can be surprised during an outage event. Best to check with your IT team rather than use code like this or tools like ipchicken.com to figure it out yourself.
Thanks,
So the API calls are made from the addresses at the bottom of this page?
https://www.logicmonitor.com/support/services/about-services/what-are-services
Because this article is about ping and http get tests, API calls are not mentioned here.
ProfessorNo, those are used for website checks originating from LM systems. API calls like those for Meraki originate from your collectors, which use your local Internet access path.
I think there is some miscommunication, or maybe i don't understand fully how Logicmonitor works.
The Meraki sd-wan of the customer which i'm trying to make more secure is managed and monitored from the Cisco/Meraki dashboard.
The API calls are made from <??> to this Meraki-hosted dashboard (api.meraki.com/…..) which has continuous overview of the whole sd-wan with several 1000's of devices.
https://documentation.meraki.com/General_Administration/Other_Topics/Cisco_Meraki_Dashboard_API
API calls are not made to the individual components or networks of the sd-wan but only to this api interface of the dashboard.
ProfessorThe question was “what IP addresses do I add in the Meraki allowlist to enable API access?”. The answer is “Yours”. Access originates from your collectors not from LM-owned systems.
LegendThe API calls are made from <??> to this Meraki-hosted dashboard (api.meraki.com/…..) which has continuous overview of the whole sd-wan with several 1000's of devices.
The <??> in your question is “the public IP address(es) of your collector(s) that the Meraki networks are assigned to”. Your collector reaches out to api.meraki.com with your creds to make the query and returns the data to the collector. The collector then ships that data back to the LM platform.
