Suggest rate limit rule.

POST

/api/config/namespaces/{namespace}/api_sec/rule_suggestion/rate_limit

curl --request POST \
  --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/api_sec/rule_suggestion/rate_limit \
  --header 'Authorization: <Authorization>' \
  --header 'Content-Type: application/json' \
  --data '{ "method": "ANY", "namespace": "example", "path": "example", "virtual_host_name": "example" }'

• F5 Distributed Cloud Console

Suggest rate limit rule for a given path.

Examples of this operation.

Authorizations

• ApiToken

Parameters

Path Parameters

namespace

required

string

Namespace x-required Namespace of the App type for current request.

Request Body^required

Media typeapplication/json

GetSuggestedRateLimitRuleReq

GET suggested rate limit rule for a given path.

object

method

string

default: ANY

Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY

namespace

Namespace

Namespace of the App type for current request Required: YES.

string

>= 6 characters <= 1024 characters

path

Path

Path to apply the rate limit to Required: YES.

string

<= 1024 characters

virtual_host_name

Name

Virtual Host for which this rate limit rule applied Required: YES.

string

<= 1024 characters

Responses

200

A successful response.

Media typeapplication/json

GetSuggestedRateLimitRuleRsp

GET suggested rate limit rule for a given path.

object

found_existing_rule

object

loadbalancer_type

string

default: VIRTUAL_SERVICE

Allowed values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOAD_BALANCER PROXY CDN_LOAD_BALANCER NGINX_SERVER UDP_LOAD_BALANCER

rule

object

any_domain

object

api_endpoint_method

object

invert_matcher

invert_matcher

Invert the match result.

boolean format: boolean

methods

methods

List of methods values to match against.

Array<string>

<= 16 items

Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY

api_endpoint_path

api endpoint path

The endpoint (path) of the request. Required: YES.

string

<= 1024 characters

client_matcher

object

any_client

object

any_ip

object

asn_list

object

as_numbers

as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>

>= 1 items <= 16 items

asn_matcher

object

asn_sets

asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>

<= 4 items

ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object

kind

kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string

>= 12 characters <= 1024 characters

name

name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string

>= 6 characters <= 1024 characters

namespace

namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string

>= 6 characters <= 1024 characters

tenant

tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string

>= 6 characters <= 1024 characters

uid

uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid

>= 36 characters <= 1024 characters

client_selector

object

expressions

expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>

<= 1 items

ip_matcher

object

invert_matcher

invert_matcher

Invert the match result.

boolean format: boolean

prefix_sets

prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>

<= 4 items

ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object

kind

kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string

>= 12 characters <= 1024 characters

name

name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string

>= 6 characters <= 1024 characters

namespace

namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string

>= 6 characters <= 1024 characters

tenant

tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string

>= 6 characters <= 1024 characters

uid

uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid

>= 36 characters <= 1024 characters

ip_prefix_list

object

invert_match

invert_matcher

Invert the match result.

boolean format: boolean

ip_prefixes

ip prefixes

List of IPv4 prefix strings.

Array<string>

<= 128 items

ip_threat_category_list

object

ip_threat_categories

IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>

<= 32 items

Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK

tls_fingerprint_matcher

object

classes

classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>

<= 16 items

Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT

exact_values

exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>

<= 16 items

excluded_values

excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>

<= 32 items

inline_rate_limiter

object

ref_user_id

object

name

name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string

>= 1 characters <= 128 characters

namespace

namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string

>= 6 characters <= 64 characters

tenant

tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string

>= 6 characters <= 64 characters

threshold

threshold

The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.

integer format: int64

unit

string

default: SECOND

Allowed values: SECOND MINUTE HOUR

use_http_lb_user_id

object

ref_rate_limiter

object

name

name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.

string

>= 1 characters <= 128 characters

namespace

namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string

>= 6 characters <= 64 characters

tenant

tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string

>= 6 characters <= 64 characters

request_matcher

object

cookie_matchers

cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>

<= 16 items

CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

• Presence or absence of the cookie
• At least one of the values for the cookie in the request satisfies the MatcherType item.

object

check_not_present

object

check_present

object

invert_matcher

invert_matcher

Invert Match of the expression defined.

boolean format: boolean

item

object

exact_values

exact values

A list of exact values to match the input against.

Array<string>

<= 64 items

regex_values

regex values

A list of regular expressions to match the input against.

Array<string>

<= 16 items

transformers

transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>

<= 9 items

Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM

name

name

A case-sensitive cookie name. Required: YES.

string

>= 6 characters <= 256 characters

headers

headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>

<= 16 items

HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

• Presence or absence of the header in the input
• At least one of the values for the header in the input satisfies the MatcherType item.

object

check_not_present

object

check_present

object

invert_matcher

invert_matcher

Invert the match result.

boolean format: boolean

item

object

exact_values

exact values

A list of exact values to match the input against.

Array<string>

<= 64 items

regex_values

regex values

A list of regular expressions to match the input against.

Array<string>

<= 16 items

transformers

transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>

<= 9 items

Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM

name

name

A case-insensitive HTTP header name. Required: YES.

string

>= 6 characters <= 256 characters

jwt_claims

JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>

<= 16 items

JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

• Presence or absence of the JWT Claim in the input
• At least one of the values for the JWT Claim in the input satisfies the MatcherType item.

object

check_not_present

object

check_present

object

invert_matcher

invert_matcher

Invert the match result.

boolean format: boolean

item

object

exact_values

exact values

A list of exact values to match the input against.

Array<string>

<= 64 items

regex_values

regex values

A list of regular expressions to match the input against.

Array<string>

<= 16 items

transformers

transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>

<= 9 items

Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM

name

name

JWT claim name. Required: YES.

string

>= 6 characters <= 256 characters

query_params

query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>

<= 16 items

QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

• Presence or absence of the query parameter in the input
• At least one of the values for the query parameter in the input satisfies the MatcherType item.

object

check_not_present

object

check_present

object

invert_matcher

invert_matcher

Invert the match result.

boolean format: boolean

item

object

exact_values

exact values

A list of exact values to match the input against.

Array<string>

<= 64 items

regex_values

regex values

A list of regular expressions to match the input against.

Array<string>

<= 16 items

transformers

transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>

<= 9 items

Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM

key

key

A case-sensitive HTTP query parameter name. Required: YES.

string

>= 7 characters <= 256 characters

specific_domain

domain

Exclusive with [any_domain] The rule will apply for a specific domain.

string

<= 128 characters

Example

{
  "loadbalancer_type": "VIRTUAL_SERVICE",
  "rule": {
    "api_endpoint_method": {
      "methods": [
        "ANY"
      ]
    },
    "client_matcher": {
      "ip_threat_category_list": {
        "ip_threat_categories": [
          "SPAM_SOURCES"
        ]
      },
      "tls_fingerprint_matcher": {
        "classes": [
          "TLS_FINGERPRINT_NONE"
        ]
      }
    },
    "inline_rate_limiter": {
      "unit": "SECOND"
    },
    "request_matcher": {
      "cookie_matchers": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "headers": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "jwt_claims": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "query_params": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ]
    }
  }
}

401

Returned when operation is not authorized.

Media typeapplication/json

string format: string

Example^generated

example

403

Returned when there is no permission to access resource.

Media typeapplication/json

string format: string

Example^generated

example

404

Returned when resource is not found.

Media typeapplication/json

string format: string

Example^generated

example

409

Returned when operation on resource is conflicting with current value.

Media typeapplication/json

string format: string

Example^generated

example

429

Returned when operation has been rejected as it is happening too frequently.

Media typeapplication/json

string format: string

Example^generated

example

500

Returned when server encountered an error in processing API.

Media typeapplication/json

string format: string

Example^generated

example

503

Returned when service is unavailable temporarily.

Media typeapplication/json

string format: string

Example^generated

example

504

Returned when server timed out processing request.

Media typeapplication/json

string format: string

Example^generated

example