Service Policy

Objective

This document provides instructions on how to configure an application-level policy using a service policy. To learn more about how F5® Distributed Cloud Mesh Services secure your applications using service policies, see Service Policy.

Using the instructions provided in this document, you can create service policies with specific policy rules to secure your applications.


Prerequisites

The following prerequisites apply:


Configuration

A service policy can be configured in three different namespaces: system, shared, and app. The following section shows configuration of a service policy for an app namespace.

Configure Service Policy

Log into F5® Distributed Cloud Console (Console) and perform the following steps to create and apply a service policy to your application:

Step 1: Select or create a desired namespace.
  • From the Console homepage, select Load Balancers.

Figure: Console Homepage
Figure: Console Homepage

  • Select an existing namespace from the top-left Namespace drop-down menu.

Figure: Application Namespace Selection
Figure: Application Namespace Selection

How to create a new namespace
  • From the Console homepage, select All Services > Administration > My Namespaces.
  • Select Add namespace.

Create a Namespace
Figure: Create a Namespace

  • In the form that appears, enter a name for your namespace.
  • Optionally, add a description.
  • Select Save changes.
  • Select the Load Balancer service and select the service you just crerated.

Note: You can create a service policy in the following namespaces:

  • System
  • Shared
  • Configured namespace.
Step 2: Start creating service policy.
  • Select Security > Service Policies > Service Policies.

  • Select Add Service Policy.

Figure: Service Policy
Figure: Service Policy

  • In the form that appears, perform the following:

    • In the Name field, enter a name for the new service policy. This name must be unique within the namespace and entered in RFC 1035 format (like a domain name, for example, acmecorp-web).

    • Optionally, select one or more labels. For each label, select a key and corresponding value.

    • Optionally, enter a description for the new policy.

Figure: Add Name and Metadata
Figure: Add Name and Metadata

Step 3: Set the server attachment.
  • From the Server Selection field under the Servers section, choose one of the following:

    • Any Server: Applies the policy to any server.

    • Server Name: Name of the server to which a request is made. Enter the name of the server in the Server Name field.

    • Group of Servers by Name: List of server names for which requests are made. You can specify them using Exact Values and/or Regex Values. Select Add item and enter exact values or regular expressions for server names. Continue to select Add item in either section to build your list.

Figure: Server Selection Menu
Figure: Server Selection Menu

  • Group of Servers by Label Selector: Specifies the labels associated with the servers to which the requests are made. To add labels, select Add label in the Selector Expression field, and then for each label you want to add:

    • Select a key from the drop-down list.

    • Select a displayed operator.

    • Select a displayed value or enter a custom value.

    • Select Apply. If this is the last label, select outside the Selector Expression field or press the tab or esc key.

Note: Custom labels are currently not supported for this field. In the case of a client request coming from the public Internet, implicit labels like Geo-IP Country, Geo-IP City, and Geo-IP Region can be used. The Geo-IP data is sourced from the MaxMind free database. Geo-IP label can be used with the keys geoip.ves.io/country, geoip.ves.io/city, or geoip.ves.io/region as well as the value as selected from the choices. Geo-IP labels can also be set using a custom rule list and in the advanced matcher section.

Step 4: Create service policy rules.

In the Rules section, you will set rules that apply to requests sent to the servers selected in the Servers section (Step 3).

Figure: Request Rules
Figure: Request Rules

  • To create rules, choose one of the following options from the Select Policy Rules menu:

    • Allow All Requests or Deny All Requests. Simply allows or denies all requests.

    • Allowed Sources or Denied Sources: Defines a list of sources whose requests will all be allowed or denied. Select Configure for a category to start building your list. You may include multiple categories in your list. For example, you can use Allowed Sources and have both the IPv4 Prefix List and a Country List. The result allows any request from any of the IPv4 addresses or any of the countries listed.

      • IPv4 Prefix List and BGP ASN List: These options let you enter a list of respective server identifiers. Select Configure to enter the list, using Add item to enter additional servers, and select Apply to keep the list and return to the policy rules. If you need to make changes, use Edit Configuration for the category you want to change.

      • IP Prefix Set and BGP ASN Set: These options let you select an existing set of IPv4 prefixes or BGP ASNs or create a new set. Select Add item and then use the drop-down menu to either select an existing set or select Add Item to create a new set. Repeat the process to add more sets.

      • Country List: This option allows you to create a list of countries. Use this drop-down menu to select a country. You may use select multiple countries from the drop-down menu to create a list. You can delete a country from your list by hovering over the country name in your list and then selecting the x next to the country name.

      • Order TLS Fingerprint Values: This option allows you to compare a request's TLS JA3 fingerprint to a list of fingerprints you create. Select Add item and enter a fingerprint value (use the See Common Values to select from a list of common TLS values).

      • Use the Default Action menu to specify what to do for a source request that does not match any of the rules configured above:

        • Next Policy: allows your load balancer to evaluate the source request using the next service policy.

        • Allow or Deny: allows or denies the source request.

Allowed Sources
Figure: Allowed Sources

  • Custom Rule List: This option allows you to create a list of custom rules.
4.1 Build a custom rule list.
  • Select Custom Rule List.

Custom Rule List
Figure: Custom Rule List

  • Select Configure.

  • Select Add Item.

  • Enter a rule name and optionally a description.

Custom Rule Creation
Figure: Custom Rule Creation

The rule specification is configured with default values. To view or change these default values, select View Configuration.

  • In the Action section, select an action to be enforced (Allow, Deny, or Next Policy) if the input request matches the rule. Next Policy will take no action, but it will allow the service to match the input against the next policy.

  • In the Clients section, choose how you want to specify one or more clients to match against this rule, and then enter the client(s):

    • Any Client: This will match all clients.

    • Client Name: Enter the client name for this rule.

    • Group of Clients by Name: Select Add item and enter exact values or regular expressions for client names. Select Add item to continue to build your list.

    • List of IP Threat Categories: Select one or more categories from the menu provided.

    • Group of Clients by Label Selector: Select a label key, an operator, and a value if required, and then select Apply. You will have something like ves.io/country In (ves-io-can) AND (which will match if for any client in Canada, and whatever criteria you add after this). You can add additional match criteria by selecting another label key and repeating the process. When your expression is complete, press the tab key or click outside the area to complete the expression (and the trailing AND will be removed).

  • In the Servers section, select Add item and enter exact values or regular expressions for the server names. Continue to select Add item to build your list.

  • In the Request Match section, enter the types of requests that you want to match with this policy rule. You can specify the request type in a number of different ways:

    • HTTP Method: Select the HTTP methods from the Method List drop-down. Using the drop-down menu multiple times will allow you to select multiple methods.

    • HTTP Path: Select Configure and enter prefix values, exact values, regular expressions, or suffix values for an HTTP path. Continue to select Add item to build your list. Use the Transformers field to modify the path for easier matching (e.g. convert the string to lower case). Select Apply after you finish.

This image provides a suffix example:

Custom Rule for HTTP Path - Suffix
Figure: Custom Rule for HTTP Path - Suffix

This image provides a regex example:

Custom Rule for HTTP Path - Regex
Figure: Custom Rule for HTTP Path - Regex

  • HTTP Query Parameters: Select Add Item and then enter a parameter name in the Query Parameter Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • HTTP Headers: Select Add Item and then enter a header name in the Header Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • In the Advanced Match section, optionally perform the following:

    • Select Add item to configure label keys and label values that need to be the same for the clients and servers.

    • Select Configure to set up the API matching for requests.

    • In the User Identity Matcher section, select the Add item buttons to specify user identities either by exact values or regex values.

  • After you complete the custom rule specification, select Apply.

  • Select Apply to add the rule to the rules list.

  • Select Apply to save the custom rule.

4.2 Configure the order of custom rules.

After you create your custom rules, you can choose the order in which the service policy evaluates them. If you have multiple service policies enabled on the same load balancer, you can order the custom rules in each of them.

Step 5: Complete service policy creation.

Select Save and Exit to create the service policy.


Apply Service Policy

Service policies can be made active for your application namespace and then applied to your load balancer. Or you can simply apply a specific service policy instead. If you select Apply Namespace Service Policies in your load balancer configuration, all active service policies will be enabled on it. If you select Apply Specified Service Policies, then only a specific service policy can be applied.

The order of service policies and the order of rules within a service policy matters. It is also important to plan the ordering of your service policies to get the intended effect. When a request comes in, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the first policy, then the policy takes effect and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be blocked by default.

For example, consider the policy list below. The last policy, ves-io-allow-all, allows all traffic through, so this setup will rely on matches to prior policies to deny undesired traffic. In the case below, all policies above ves-io-allow-all deny a request for some reason, except allowed-ips. The service policy allowed-ips is intended to allow certain IP addresses through without enforcing any of the following service policies. If you were to move allowed-ips below method-enforcement, then allowed-ips would still be subject to blocking if the request used a disallowed HTTP method.

List of Service Policies
Figure: List of Service Policies

Step 1: Set active service policy.

To apply all active namespace service policies to a load balancer, select the Load Balancers service and your namespace, and then perform the following:

  • Select Security > Service Policies > Active Service Policies.

Active Service Policies
Figure: Active Service Policies

  • Select Select Active Service Policies. This will show a list of active service policies available for the given namespace, which may be empty.

  • Select Select Service Policy to add a new service policy to the active list.

Select Active Service Policy
Figure: Select Active Service Policy

  • Check the box next to the service policy you just created.

  • Select Select Service Policy.

  • Select Save and Exit.

Step 2: Set active service policy order of evaluation.

You have the option to set the order of evaluation for the active service policies configured in a given namespace.

  • Select your namespace that contains the active service policies.

  • Select Security > Service Policies > Active Service Policies.

  • Select Select Active Service Policies.

  • Change the order of these rules by using the drag handle to drag and drop the rules in the order you see fit. You can also select ... > Move to another spot, and then use the arrows to move the rule up or down the list.

Order of Evaluation
Figure: Order of Evaluation

Step 3: Apply specific service policy to a load balancer.

You can apply a specific service policy to your load balancer using the Apply Specified Service Policies option. You can apply as many specific service policies as needed.

To apply specific service policies, perform the following:

  • Open your load balancer for editing:

    • Select Manage > Load Balancers > HTTP Load Balancers.
    • For your load balancers, select ... > Manage Configuration.
    • Select Edit Configuration in the upper right corner.
  • Navigate to the Security Configuration section in load balancer configuration.

  • From the Service Policies menu, select the Apply Specified Service Policies option.

Apply Specified Service Policy
Figure: Apply Specified Service Policy

  • Select Configure.

Menu Options
Figure: Menu Options

  • From the List of Policies menu, select a service policy.

  • Select Add item to add more service policies.

  • Use the drag handles to the left of the service policy to re-arrange the order of the service policies.

  • Select Apply.

  • If you are finished with load balancer configuration, select Save and Exit.


Concepts


API References