Configure API Protection Rules

• From the Console homepage, click Multi-Cloud App Connect.

• Select your application namespace.

• Navigate to Manage > Load Balancers > HTTP Load Balancers.

• Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

• Click Edit Configuration in the top right corner of the form.

• In the API Protection section, click Configure in the API Protection Rules field.

• Under the API Endpoints section, click Configure.

• Click Add Item.

• In the Name field, enter a name for this API protection rule.

• Under the Action section, select whether to Allow or Deny from the Action menu.

• In the API Endpoint section, enable the Show Advanced Fields option.

• From the Domain menu, select an option:

  • Any Domain: default option.

  • Specific Domain: enter the domain in the Specific Domain field.

• From the API Endpoint menu, select a specific API endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

• Under HTTP Methods, select the methods for which the API protection rules are to be applied from Method List. You can select more than one method.

Note: If no HTTP methods are selected, then the behavior is that all methods (ANY) will be matched by default.

• Optionally, select the Invert Method Matcher option to invert the match result.

Perform the following:

• In the HTTP Query Parameters field, click Add Item. Follow the guided wizard to complete the match criteria for query parameters.

• In the HTTP Headers field, click Add Item. Follow the guided wizard to complete the match criteria for HTTP header parameters.

• In the Cookie Matchers field, click Add Item. Follow the guided wizard to complete the match criteria for web cookie parameters.

• In the Clients section, enable the Show Advanced Fields option.

• From the Clients menu, select which clients will match to this rule:

  • Any Client: Default option.

  • List of IP Threat Categories: Select clients based on known IP threat categories.

  • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

• From the Source IPv4/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IPv4 prefix, IP prefix, ASN list, or BGP ASN sets.

• Optionally, configure the TLS fingerprint match parameters:

  • From the TLS fingerprint classes menu, select a TLS fingerprint class.

  • For the exact values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected. You can add a fingerprint option even if no classes were selected from the TLS fingerprint classes menu.

• For the excluded values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

• Click Apply.

• Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

• After you finish, click Apply.

• Click Apply.

• Click Save and Exit.

• From the Console homepage, click Multi-Cloud App Connect.

• Select your application namespace.

• Navigate to Manage > Load Balancers > HTTP Load Balancers.

• Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

• Click Edit Configuration in the top right corner of the form.

• In the API Protection section, click Configure in the API Protection Rules field.

• Under the Server URLs and API Groups section, click Configure.

• Click Add Item.

• In the Name field, enter a name for this API protection rule.

• From the Action menu, select whether to Allow or Deny.

• Under the API Group/ Base Path section, enable the Show Advanced Fields option.

• From the Domain menu, select an option:

  • Any Domain: default option.

  • Specific Domain: enter the domain in the Specific Domain field.

• From the Base Path menu, select a server endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

• From the API Group menu, select the API group based on a previously configured API definition. The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

• In the Clients section, enable the Show Advanced Fields option.

• From the Clients menu, select which clients will match to this rule:

  • Any Client: Default option.

  • List of IP Threat Categories: Select clients based on known IP threat categories.

  • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

• From the Source IP/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IP prefix list, IP prefix sets, ASN list, or BGP ASN sets.

• Optionally, configure the TLS fingerprint match parameters:

  • From the TLS fingerprint classes menu, select a TLS fingerprint class.

  • For the exact values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected. You can add a fingerprint option even if no classes were selected from the TLS fingerprint classes menu.

  • For the excluded values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

• Click Apply.

• Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

• After you finish, click Apply.

• Click Apply.

• Click Save and Exit.