Are you trying to limit an API to internal only use? The “right” way to do this is to connect to the API over the internal private network.
When you enable public services on an app, you get a dedicated IP. The downside to this is that people like to crawl public IP space, so you get a bunch of garbage traffic like you’re seeing. It’s usually low impact, though.
You actually don’t need us to implement IP whitelisting though! You can run API requests through nginx and implement any kind of web filtering you’d like, including IP restrictions if that makes sense for your API. We’ve been meaning to do an example app with that config – we’re just a little overwhelmed and behind at all times these days. 