Configure API Protection Rules

• From the Console homepage, click Multi-Cloud App Connect.

• Select your application namespace.

• Navigate to Manage > Multi-Cloud App Connect > HTTP Load Balancers.

• Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

• Click Edit Configuration option located in the top right corner of the form.

• In the Security Configuration section, click Configure in the API Protection Rules field.

• Under the API Endpoints section, click Add Item.

• In the Name field, enter a name for this API protection rule.

• Under the Action section, select whether to Allow or Deny from the Action menu.

• In the API Endpoint section, enable the Show Advanced Fields section.

• From the Domain menu, select an option:

  • Any Domain: default option.

  • Specific Domain: enter the domain in the Specific Domain field.

• From the API Endpoint menu, select a specific API endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

• Under the HTTP Methods section, select the methods for which the API protection rules are to be applied. You can select more than one method.

Note: If no HTTP methods are selected, then the behavior is that all methods (ANY) will be matched by default.

• Optionally, select the Invert Method Matcher option to invert the match result.

In the Request subsection perform the following:

• In the HTTP Query Parameters field, click Add Item. Follow the guided wizard to complete the match criteria for query parameters.

• In the HTTP Headers field, click Add Item. Follow the guided wizard to complete the match criteria for HTTP header parameters.

• In the Cookie Matchers field, click Add Item. Follow the guided wizard to complete the match criteria for web cookie parameters.

• In the Clients section, enable the Show Advanced Fields section.

• From the Clients Selection menu, select which clients will match to this rule:

  • Any Client: Default option.

  • List of IP Threat Categories: Select clients based on known IP threat categories.

  • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

• From the Source IPv4/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IPv4 prefix, IP prefix, ASN list, or BGP ASN sets.

• Optionally, configure the TLS fingerprint match parameters:

  • From the TLS fingerprint classes menu, select a TLS fingerprint class.

  • Under List of Exact Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected.

Note: You can add a fingerprint using the List of Exact Values option even if no classes were selected from the TLS fingerprint classes menu.

• Under List of Excluded Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

• Click Add Item.

• Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

• After you finish, click Apply.

• From the Console homepage, click Multi-Cloud App Connect.

• Select your application namespace.

• Navigate to Manage > Multi-Cloud App Connect > HTTP Load Balancers.

• Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

• Click Edit Configuration option located in the top right corner of the form.

• In the Security Configuration section, click Configure in the API Protection Rules field.

• Under the Server URLs and API Groups section, click Add Item.

• In the Name field, enter a name for this API protection rule.

• Under the Action section, select whether to Allow or Deny from the Action menu.

• From the Domain menu, select an option:

  • Any Domain: default option.

  • Specific Domain: enter the domain in the Specific Domain field.

• From the Base Path menu, select a server endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

• From the API Group menu, select the API group based on a previously configured API definition.

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

• In the Clients section, enable the Show Advanced Fields section.

• From the Clients Selection menu, select which clients will match to this rule:

  • Any Client: Default option.

  • List of IP Threat Categories: Select clients based on known IP threat categories.

  • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

• Optionally, configure the TLS fingerprint match parameters:

  • From the TLS fingerprint classes menu, select a TLS fingerprint class.

  • Under List of Exact Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected.

Note: You can add a fingerprint using the List of Exact Values option even if no classes were selected from the TLS fingerprint classes menu.

• Under List of Excluded Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

• Click Add Item.

• Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

• After you finish, click Apply.