Service Policy

Objective

This document provides instructions on how to configure an application-level policy using a service policy. To learn more about how F5® Distributed Cloud Mesh Services secure your applications using service policies, see Service Policy.

Using the instructions provided in this document, you can create service policies with specific policy rules to secure your applications.


Prerequisites

The following prerequisites apply:


Configuration

A service policy can be configured in three different namespaces: system, shared, and app. The following section shows configuration of a service policy for an app namespace.

Configure Service Policy

Log into F5® Distributed Cloud Console (Console) and perform the following steps to create and apply a service policy to your application:

Step 1: Select or create a desired namespace.
  • From the Console homepage, click Load Balancers.

Figure: Console Homepage
Figure: Console Homepage

  • Select an existing namespace from the top-left Application Namespaces drop-down menu.

Figure: Application Namespace Selection
Figure: Application Namespace Selection

  • To create a new namespace:

    • From the Console homepage, click All Services.

    • Click Administration > My Namespaces.

    • Click Add namespace.

Create a Namespace
Figure: Create a Namespace

  • In the form that appears, enter a name for your namespace.

  • Optionally, add a description.

  • Click Save changes.

Note: You can create a service policy in the following namespaces:

  • System
  • Shared
  • Configured namespace.
Step 2: Start creating service policy.
  • Click Security > Service Policies > Service Policies.

  • Click Add service policy.

Figure: Service Policy
Figure: Service Policy

  • In the form that appears, perform the following:

    • In the Name field, enter a name for the new service policy. This name must be unique within the namespace and entered in RFC 1035 format (like a domain name, for example, acmecorp-web).

    • Optionally, select one or more labels. For each label, select a key and corresponding value.

    • Optionally, enter a description for the new policy.

Figure: Add Name and Metadata
Figure: Add Name and Metadata

Step 3: Set the server attachment.
  • From the Server Selection field under the Attachment section, choose one of the following:

    • Any Server: Applies the policy to any server.

    • Server Name: Name of the server to which a request is made. Enter the name of the server in the Server Name field.

    • Group of Servers by Name: List of server names for which requests are made. You can specify them using Exact Values and/or Regex Values. Click Add item and enter exact values or regular expressions for server names. Continue to click either Add item button to build your list.

Figure: Server Selection Menu
Figure: Server Selection Menu

  • Group of Servers by Label Selector: Specifies the labels associated with the servers to which the requests are made. To add labels, click in the Selector Expression field, and then for each label you want to add:

    • Select a key from the displayed options or type a key and click Assign Custom Key.

    • Select a displayed operator.

    • Select a displayed value or enter a custom value.

    • Click Apply. If this is the last label, click outside the Selector Expression field or press the tab key.

Note: Custom labels are currently not supported for this field. In the case of a client request coming from the public Internet, implicit labels like Geo-IP Country, Geo-IP City, and Geo-IP Region can be used. The Geo-IP data is sourced from the MaxMind free database. Geo-IP label can be used with the keys geoip.ves.io/country, geoip.ves.io/city, or geoip.ves.io/region as well as the value as selected from the choices. Geo-IP labels can also be set using a custom rule list and in the advanced matcher section.

Step 4: Create service policy rules.

In the Rules section, you will set rules that apply to the requests to the servers selected in the Attachment section (Step 3).

Figure: Request Rules
Figure: Request Rules

  • To create rules, choose one of the following options from the Select Policy Rules menu:

    • Allow All Requests or Deny All Requests. Simply allows or denies all requests.

    • Allowed Sources or Denied Sources: Defines a list of sources whose requests will all be allowed or denied. Click Configure for a category to start building your list. You may include multiple categories in your list. For example, you can use Allowed Sources and have both the IPv4 Prefix List and a Country List. The result allows any request from any of the IPv4 addresses or any of the countries listed.

      • IPv4 Prefix List and BGP ASN List: These options let you enter a list of respective server identifiers. Click Configure to enter the list, using Add item to enter additional servers, and Apply to keep the list and return to the policy rules. If you need to make changes, use Edit for the category you want to change.

      • IP Prefix Set and BGP ASN Set: These options let you select an existing set of IPv4 prefixes or BGP ASNs or create a new set. Click Add item and to select an existing set or select Create new... to create a new set. Repeat the process to add more sets. Click Apply when you are finished adding sets.

      • Country List: This option allows you to create a list of countries. Use this drop-down menu to select a country to add to the list. You may use it multiple times to add to your list. You can delete a country from your list by hovering over the country name in your list and then clicking the x next to the country name.

      • Use the Default Action menu to specify what to do for requests that do not belong to the source lists configured above:

        • Next Policy: allows your load balancer evaluate the source request using the next service policy.

        • Allow or Deny: allows or denies source requests from any server or country listed/not listed in your policy.

Allowed Sources
Figure: Allowed Sources

  • Custom Rule List: This option allows you to create a list of custom rules.
4.1 Build a custom rule list.
  • Select Custom Rule List.

Custom Rule List
Figure: Custom Rule List

  • Click Configure.

  • Click Add Item.

  • Enter a rule name and optionally a description, and then click Configure.

Custom Rule Creation
Figure: Custom Rule Creation

  • In the Action section, select an action to be enforced (Allow, Deny, or Next Policy) if the input request matches the rule. Next Policy will take no action, but will allow the service to match the input against the next policy.

  • In the Clients section, choose how you want to specify one or more clients to match against this rule, and then enter the client(s):

    • Any Client: This will match all clients.

    • Client Name: Enter the client name for this rule.

    • Group of Clients by Name: Click Add item and enter exact values or regular expressions for client names. Click Add item to continue to build your list.

    • List of IP Threat Categories: Select one or more categories from the menu provided.

    • Group of Clients by Label Selector: Select a label key, an operator, and a value if required, and then click Apply. You will have something like ves.io/country In (ves-io-can) AND (which will match if for any client in Canada, and whatever criteria you add after this). You can add additional match criteria by selecting another label key and repeating the process. When your expression is complete, press the tab key or click outside the area to complete the expression (and the trailing AND will be removed).

  • In the Servers section, click Add item and enter exact values or regular expressions for the server names. Continue to click Add item to build your list.

  • In the Request Match section, enter the types of requests that you want to match with this policy rule. You can specify the request type in a number of different ways:

    • HTTP Method: Select the HTTP methods from the Method List drop-down. Using the drop-down menu multiple times will allow you to select multiple methods.

    • HTTP Path: Click Configure and enter prefix values, exact values, or regular expressions for an HTTP path. Continue to click Add item to build your list. Click Apply after you finish.

This image provides a suffix example:

Custom Rule for HTTP Path - Suffix
Figure: Custom Rule for HTTP Path - Suffix

This image provides a regex example:

Custom Rule for HTTP Path - Regex
Figure: Custom Rule for HTTP Path - Regex

  • HTTP Query Parameters: Click Add Item and then enter a parameter name in the Query Parameter Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • HTTP Headers: Click Add Item and then enter a header name in the Header Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • In the Advanced Match section, optionally perform the following:

    • Click Add item to configure label keys and label values that need to be the same for the clients and servers.

    • Click Configure to set up the API matching for requests.

  • After you complete the custom rule, click Apply to add it to your service policy.

  • Click Add Item.

  • Click Apply.

4.2 Configure the order of custom rules.

After you create your custom rules, you can choose the order in which the service policy evaluates them. If you have multiple service policies enabled on the same load balancer, you can order the custom rules in each of them.

Step 5: Complete service policy creation.

Click Save and Exit to create the service policy.


Apply Service Policy

Service policies can be made active for your application namespace and then applied to your load balancer. Or you can simply apply a specific service policy instead. If you select Apply Namespace Service Policies in your load balancer configuration, all active service policies will be enabled on it. If you select Apply Specified Service Policies, then only a specific service policy can be applied.

The order of service policies and the order of rules within a service policy matters. It is also important to plan the ordering of your service policies to get the intended effect. When a request comes in, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the first policy, then the policy takes effect and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be blocked by default.

For example, consider the policy list below. The last policy, ves-io-allow-all, allows all traffic through, so this setup will rely on matches to prior policies to deny undesired traffic. In the case below, all policies above ves-io-allow-all deny a request for some reason, except allowed-ips. The service policy allowed-ips is intended to allow certain IP addresses through without enforcing any of the service policies. If you were to move allowed-ips below method-enforcement, then allowed-ips would still be subject to blocking if the request used a disallowed HTTP method.

List of Service Policies
Figure: List of Service Policies

Step 1: Set active service policy.

To apply all active namespace service policies, perform the following:

  • Select Security > Service Policies > Active Service Policies.

Active Service Policies
Figure: Active Service Policies

  • Click Select Active Service Policies. This will show a list of active service policies available for the given namespace.

  • Click Select Service Policy to add a new service policy to the active list.

Select Active Service Policy
Figure: Select Active Service Policy

  • Check the box next to the service policy you just created.

  • Click Select Service Policy.

  • Click Save and Exit.

Step 2: Set active service policy order of evaluation.

You have the option to set the order of evaluation for the active service policies configured in a given namespace.

  • Select your namespace that contains the active service policies.

  • Select Security > Service Policies > Active Service Policies.

  • Click Select Active Service Policies.

  • Change the order of these rules by simply dragging and dropping the rules in the order you see fit. You can also click ... > Move to another spot, and then use the arrows to move the rule up or down the list.

Order of Evaluation
Figure: Order of Evaluation

Step 3: Apply specific service policy to a load balancer.

You can apply a specific service policy to your load balancer using the Apply Specified Service Policies option. You can apply as many specific service policies as needed.

To apply specific service policies, perform the following:

  • Navigate to the Security Configuration section in load balancer configuration.

  • From the Service Policies menu, select the Apply Specified Service Policies option.

  • Click Configure.

Apply Specified Service Policy
Figure: Apply Specified Service Policy

  • From the List of Policies menu, select a service policy.

Menu Options
Figure: Menu Options

  • Click Add item to add more service policies.

  • Use the up and down arrows to re-arrange the order of the service policies.

  • Click Apply.

  • If you are finished with load balancer configuration, click Save and Exit.


Concepts


API References