Configure API Protection Rules

Objective

This guide provides instructions on how to enable the API Protection Rules feature in an HTTP/HTTPS load balancer using F5® Distributed Cloud Console (Console). These rules provide you with configurable options to allow or block API endpoints from reaching your application. You can configure these rules using one of two methods (or categories): (1) configure rules using API path and methods, or (2) configure rules using API groups and server URLs. If a client request matches any rule created using the first category, then the second category rules are not evaluated.


Prerequisites

The following prerequisites apply:


Configuration

Configure API protection rules using one of two methods available.

Configure Rules Using Path and Methods

If you are configuring rules using API path and methods, perform the following:

Step 1: Log into Console and go to HTTP load balancer.
  • From the Console homepage, click Multi-Cloud App Connect.

Homepage
Figure: Homepage

  • Select your application namespace.

  • Navigate to Manage > Multi-Cloud App Connect > HTTP Load Balancers.

  • Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

  • Click Edit Configuration option located in the top right corner of the form.

Step 2: Start configuring API protection rules.
  • In the Security Configuration section, click Configure in the API Protection Rules field.

Security Configuration Section
Figure: Security Configuration Section

  • Under the API Endpoints section, click Add Item.

API Endpoints Section
Figure: API Endpoints Section

  • In the Name field, enter a name for this API protection rule.

  • Under the Action section, select whether to Allow or Deny from the Action menu.

Action Selection
Figure: Action Selection

  • In the API Endpoint section, enable the Show Advanced Fields section.

  • From the Domain menu, select an option:

    • Any Domain: default option.

    • Specific Domain: enter the domain in the Specific Domain field.

  • From the API Endpoint menu, select a specific API endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

Path Selection
Figure: Path Selection

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

  • Under the HTTP Methods section, select the methods for which the API protection rules are to be applied. You can select more than one method.

Note: If no HTTP methods are selected, then the behavior is that all methods (ANY) will be matched by default.

  • Optionally, select the Invert Method Matcher option to invert the match result.
Step 3: Optionally, configure API request parameters.

In the Request subsection perform the following:

  • In the HTTP Query Parameters field, click Add Item. Follow the guided wizard to complete the match criteria for query parameters.

  • In the HTTP Headers field, click Add Item. Follow the guided wizard to complete the match criteria for HTTP header parameters.

  • In the Cookie Matchers field, click Add Item. Follow the guided wizard to complete the match criteria for web cookie parameters.

Request Parameters
Figure: Request Parameters

Step 4: Configure client match parameters.
  • In the Clients section, enable the Show Advanced Fields section.

  • From the Clients Selection menu, select which clients will match to this rule:

    • Any Client: Default option.

    • List of IP Threat Categories: Select clients based on known IP threat categories.

    • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

Client Selection
Figure: Client Selection

  • From the Source IPv4/Asn Match menu, select an option to match the client request from. Any Source IP is the default option. However, you can select an option to match by IPv4 prefix, IP prefix, ASN list, or BGP ASN sets.

  • Optionally, configure the TLS fingerprint match parameters:

    • From the TLS fingerprint classes menu, select a TLS fingerprint class.

    • Under List of Exact Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected.

Fingerprint Selection
Figure: Fingerprint Selection

Note: You can add a fingerprint using the List of Exact Values option even if no classes were selected from the TLS fingerprint classes menu.

  • Under List of Excluded Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

  • Click Add Item.

Step 5: Confirm rule order and save the new settings.
  • Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

  • After you finish, click Apply.

Apply Protection Rule
Figure: Apply Protection Rule


Configure Rules Using Groups and Server URLs

If you are configuring rules using API groups and server URLs, perform the following:

Step 1: Log into Console and go to HTTP load balancer.
  • From the Console homepage, click Multi-Cloud App Connect.

Homepage
Figure: Homepage

  • Select your application namespace.

  • Navigate to Manage > Multi-Cloud App Connect > HTTP Load Balancers.

  • Click ... for your load balancer and select Manage Configuration to open the load balancer configuration form.

  • Click Edit Configuration option located in the top right corner of the form.

Step 2: Start configuring API protection rules.
  • In the Security Configuration section, click Configure in the API Protection Rules field.

Security Configuration Section
Figure: Security Configuration Section

  • Under the Server URLs and API Groups section, click Add Item.

Server URLs and API Groups Section
Figure: Server URLs and API Groups Section

  • In the Name field, enter a name for this API protection rule.

  • Under the Action section, select whether to Allow or Deny from the Action menu.

Action Selection
Figure: Action Selection

  • From the Domain menu, select an option:

    • Any Domain: default option.

    • Specific Domain: enter the domain in the Specific Domain field.

  • From the Base Path menu, select a server endpoint path. Click See Suggestions to display suggested list of paths and endpoints.

  • From the API Group menu, select the API group based on a previously configured API definition.

Path Selection
Figure: Path Selection

Note: The suggestions are shown only if you have configured an API definition. To learn how to create and configure API definitions, see Import Swagger and Define APIs.

Step 3: Configure client match parameters.
  • In the Clients section, enable the Show Advanced Fields section.

  • From the Clients Selection menu, select which clients will match to this rule:

    • Any Client: Default option.

    • List of IP Threat Categories: Select clients based on known IP threat categories.

    • Group of Clients by Label Selector: Select clients based on label selectors and expressions.

  • Optionally, configure the TLS fingerprint match parameters:

    • From the TLS fingerprint classes menu, select a TLS fingerprint class.

    • Under List of Exact Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to match from the class previously selected.

Note: You can add a fingerprint using the List of Exact Values option even if no classes were selected from the TLS fingerprint classes menu.

  • Under List of Excluded Values, click Add item. From the menu, click See Common Values to select an exact fingerprint to exclude from the class previously selected.

  • Click Add Item.

Fingerprint Selection
Figure: Fingerprint Selection

Step 4: Confirm rule order and save the new settings.
  • Check the order of the rules. You can reorder them by selecting a rule and moving it up or down the list.

  • After you finish, click Apply.

Apply Protection Rule
Figure: Apply Protection Rule


Concepts