Configure API Protection Rules
On This Page:
Objective
This guide provides instructions on how to enable the API Protection Rules feature in an HTTP/HTTPS load balancer using F5® Distributed Cloud Console (Console). These rules provide you with configurable options to allow or block API endpoints from reaching your application. You can configure these rules using one of two methods (or categories): (1) configure rules using API path and methods, or (2) configure rules using API groups and server URLs. If a client request matches any rule created using the first category, then the second category rules are not evaluated.
Prerequisites
The following prerequisites apply:
-
An F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An HTTP load balancer. See HTTP Load Balancer and vK8s Deployment for more information on load balancer and application deployment.
Configuration
Configure API protection rules using one of two methods available.
Configure Rules Using Path and Methods
If you are configuring rules using API path and methods, perform the following:
Step 1: Log into Console and go to HTTP load balancer.
- From the Console homepage, click
Multi-Cloud App Connect
.
-
Select your application namespace.
-
Navigate to
Manage
>Multi-Cloud App Connect
>HTTP Load Balancers
. -
Click
...
for your load balancer and selectManage Configuration
to open the load balancer configuration form. -
Click
Edit Configuration
option located in the top right corner of the form.
Step 2: Start configuring API protection rules.
- In the
Security Configuration
section, clickConfigure
in theAPI Protection Rules
field.
- Under the
API Endpoints
section, clickAdd Item
.
-
In the
Name
field, enter a name for this API protection rule. -
Under the
Action
section, select whether toAllow
orDeny
from theAction
menu.
-
In the
API Endpoint
section, enable theShow Advanced Fields
section. -
From the
Domain
menu, select an option:-
Any Domain
: default option. -
Specific Domain
: enter the domain in theSpecific Domain
field.
-
-
From the
API Endpoint
menu, select a specific API endpoint path. ClickSee Suggestions
to display suggested list of paths and endpoints.
Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.
- Under the
HTTP Methods
section, select the methods for which the API protection rules are to be applied. You can select more than one method.
Note: If no HTTP methods are selected, then the behavior is that all methods (
ANY
) will be matched by default.
- Optionally, select the
Invert Method Matcher
option to invert the match result.
Step 3: Optionally, configure API request parameters.
In the Request
subsection perform the following:
-
In the
HTTP Query Parameters
field, clickAdd Item
. Follow the guided wizard to complete the match criteria for query parameters. -
In the
HTTP Headers
field, clickAdd Item
. Follow the guided wizard to complete the match criteria for HTTP header parameters. -
In the
Cookie Matchers
field, clickAdd Item
. Follow the guided wizard to complete the match criteria for web cookie parameters.
Step 4: Configure client match parameters.
-
In the
Clients
section, enable theShow Advanced Fields
section. -
From the
Clients Selection
menu, select which clients will match to this rule:-
Any Client
: Default option. -
List of IP Threat Categories
: Select clients based on known IP threat categories. -
Group of Clients by Label Selector
: Select clients based on label selectors and expressions.
-
-
From the
Source IPv4/Asn Match
menu, select an option to match the client request from.Any Source IP
is the default option. However, you can select an option to match by IPv4 prefix, IP prefix, ASN list, or BGP ASN sets. -
Optionally, configure the TLS fingerprint match parameters:
-
From the
TLS fingerprint classes
menu, select a TLS fingerprint class. -
Under
List of Exact Values
, clickAdd item
. From the menu, clickSee Common Values
to select an exact fingerprint to match from the class previously selected.
-
Note: You can add a fingerprint using the
List of Exact Values
option even if no classes were selected from theTLS fingerprint classes
menu.
-
Under
List of Excluded Values
, clickAdd item
. From the menu, clickSee Common Values
to select an exact fingerprint to exclude from the class previously selected. -
Click
Add Item
.
Step 5: Confirm rule order and save the new settings.
-
Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.
-
After you finish, click
Apply
.
Configure Rules Using Groups and Server URLs
If you are configuring rules using API groups and server URLs, perform the following:
Step 1: Log into Console and go to HTTP load balancer.
- From the Console homepage, click
Multi-Cloud App Connect
.
-
Select your application namespace.
-
Navigate to
Manage
>Multi-Cloud App Connect
>HTTP Load Balancers
. -
Click
...
for your load balancer and selectManage Configuration
to open the load balancer configuration form. -
Click
Edit Configuration
option located in the top right corner of the form.
Step 2: Start configuring API protection rules.
- In the
Security Configuration
section, clickConfigure
in theAPI Protection Rules
field.
- Under the
Server URLs and API Groups
section, clickAdd Item
.
-
In the
Name
field, enter a name for this API protection rule. -
Under the
Action
section, select whether toAllow
orDeny
from theAction
menu.
-
From the
Domain
menu, select an option:-
Any Domain
: default option. -
Specific Domain
: enter the domain in theSpecific Domain
field.
-
-
From the
Base Path
menu, select a server endpoint path. ClickSee Suggestions
to display suggested list of paths and endpoints. -
From the
API Group
menu, select the API group based on a previously configured API definition.
Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.
Step 3: Configure client match parameters.
-
In the
Clients
section, enable theShow Advanced Fields
section. -
From the
Clients Selection
menu, select which clients will match to this rule:-
Any Client
: Default option. -
List of IP Threat Categories
: Select clients based on known IP threat categories. -
Group of Clients by Label Selector
: Select clients based on label selectors and expressions.
-
-
Optionally, configure the TLS fingerprint match parameters:
-
From the
TLS fingerprint classes
menu, select a TLS fingerprint class. -
Under
List of Exact Values
, clickAdd item
. From the menu, clickSee Common Values
to select an exact fingerprint to match from the class previously selected.
-
Note: You can add a fingerprint using the
List of Exact Values
option even if no classes were selected from theTLS fingerprint classes
menu.
-
Under
List of Excluded Values
, clickAdd item
. From the menu, clickSee Common Values
to select an exact fingerprint to exclude from the class previously selected. -
Click
Add Item
.
Step 4: Confirm rule order and save the new settings.
-
Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.
-
After you finish, click
Apply
.