Create CDN Loadbalancer.
const url = 'https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/cdn_loadbalancers';const options = { method: 'POST', headers: {Authorization: '<Authorization>', 'Content-Type': 'application/json'}, body: '{"metadata":{"annotations":{},"description":"example","disable":true,"labels":{},"name":"example","namespace":"example"},"spec":{"active_service_policies":{"policies":[{"name":"example","namespace":"example"}]},"api_rate_limit":{"api_endpoint_rules":[{"any_domain":{},"api_endpoint_method":{"invert_matcher":true,"methods":["ANY"]},"api_endpoint_path":"example","client_matcher":{"any_client":{},"any_ip":{},"asn_list":{"as_numbers":[1]},"asn_matcher":{"asn_sets":[{"name":"example","namespace":"example"}]},"client_selector":{"expressions":["example"]},"ip_matcher":{"invert_matcher":true,"prefix_sets":[{"name":"example","namespace":"example"}]},"ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"ip_threat_category_list":{"ip_threat_categories":["SPAM_SOURCES"]},"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]}},"inline_rate_limiter":{"ref_user_id":{"name":"example","namespace":"example"},"threshold":1,"unit":"SECOND","use_http_lb_user_id":{}},"ref_rate_limiter":{"name":"example","namespace":"example"},"request_matcher":{"cookie_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"jwt_claims":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}]},"specific_domain":"example"}],"bypass_rate_limiting_rules":{"bypass_rate_limiting_rules":[{"any_domain":{},"any_url":{},"api_endpoint":{"methods":["ANY"],"path":"example"},"api_groups":{"api_groups":["example"]},"base_path":"example","client_matcher":{"any_client":{},"any_ip":{},"asn_list":{"as_numbers":[1]},"asn_matcher":{"asn_sets":[{"name":"example","namespace":"example"}]},"client_selector":{"expressions":["example"]},"ip_matcher":{"invert_matcher":true,"prefix_sets":[{"name":"example","namespace":"example"}]},"ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"ip_threat_category_list":{"ip_threat_categories":["SPAM_SOURCES"]},"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]}},"request_matcher":{"cookie_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"jwt_claims":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}]},"specific_domain":"example"}]},"custom_ip_allowed_list":{"rate_limiter_allowed_prefixes":[{"name":"example","namespace":"example"}]},"ip_allowed_list":{"prefixes":["example"]},"no_ip_allowed_list":{},"server_url_rules":[{"any_domain":{},"api_group":"example","base_path":"example","client_matcher":{"any_client":{},"any_ip":{},"asn_list":{"as_numbers":[1]},"asn_matcher":{"asn_sets":[{"name":"example","namespace":"example"}]},"client_selector":{"expressions":["example"]},"ip_matcher":{"invert_matcher":true,"prefix_sets":[{"name":"example","namespace":"example"}]},"ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"ip_threat_category_list":{"ip_threat_categories":["SPAM_SOURCES"]},"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]}},"inline_rate_limiter":{"ref_user_id":{"name":"example","namespace":"example"},"threshold":1,"unit":"SECOND","use_http_lb_user_id":{}},"ref_rate_limiter":{"name":"example","namespace":"example"},"request_matcher":{"cookie_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"jwt_claims":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}]},"specific_domain":"example"}]},"api_specification":{"api_definition":{"name":"example","namespace":"example"},"validation_all_spec_endpoints":{"fall_through_mode":{"fall_through_mode_allow":{},"fall_through_mode_custom":{"open_api_validation_rules":[{"action_block":{},"action_report":{},"action_skip":{},"api_endpoint":{"methods":["ANY"],"path":"example"},"api_group":"example","base_path":"example","metadata":{"description":"example","name":"example"}}]}},"settings":{"oversized_body_fail_validation":{},"oversized_body_skip_validation":{},"property_validation_settings_custom":{"queryParameters":{"allow_additional_parameters":{},"disallow_additional_parameters":{}}},"property_validation_settings_default":{}},"validation_mode":{"response_validation_mode_active":{"enforcement_block":{},"enforcement_report":{},"response_validation_properties":["PROPERTY_QUERY_PARAMETERS"]},"skip_response_validation":{},"skip_validation":{},"validation_mode_active":{"enforcement_block":{},"enforcement_report":{},"request_validation_properties":["PROPERTY_QUERY_PARAMETERS"]}}},"validation_custom_list":{"fall_through_mode":{"fall_through_mode_allow":{},"fall_through_mode_custom":{"open_api_validation_rules":[{"action_block":{},"action_report":{},"action_skip":{},"api_endpoint":{"methods":["ANY"],"path":"example"},"api_group":"example","base_path":"example","metadata":{"description":"example","name":"example"}}]}},"open_api_validation_rules":[{"any_domain":{},"api_endpoint":{"methods":["ANY"],"path":"example"},"api_group":"example","base_path":"example","metadata":{"description":"example","name":"example"},"specific_domain":"example","validation_mode":{"response_validation_mode_active":{"enforcement_block":{},"enforcement_report":{},"response_validation_properties":["PROPERTY_QUERY_PARAMETERS"]},"skip_response_validation":{},"skip_validation":{},"validation_mode_active":{"enforcement_block":{},"enforcement_report":{},"request_validation_properties":["PROPERTY_QUERY_PARAMETERS"]}}}],"settings":{"oversized_body_fail_validation":{},"oversized_body_skip_validation":{},"property_validation_settings_custom":{"queryParameters":{"allow_additional_parameters":{},"disallow_additional_parameters":{}}},"property_validation_settings_default":{}}},"validation_disabled":{}},"app_firewall":{"name":"example","namespace":"example"},"blocked_clients":[{"actions":["SKIP_PROCESSING_WAF"],"as_number":1,"bot_skip_processing":{},"expiration_timestamp":"2026-04-15T12:00:00Z","http_header":{"headers":[{"exact":"example","invert_match":true,"name":"example","presence":true,"regex":"example"}]},"ip_prefix":"example","ipv6_prefix":"example","metadata":{"description":"example","name":"example"},"skip_processing":{},"user_identifier":"example","waf_skip_processing":{}}],"bot_defense":{"disable_cors_support":{},"enable_cors_support":{},"policy":{"disable_js_insert":{},"disable_mobile_sdk":{},"javascript_mode":"ASYNC_JS_NO_CACHING","js_download_path":"example","js_insert_all_pages":{"javascript_location":"AFTER_HEAD"},"js_insert_all_pages_except":{"exclude_list":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}],"javascript_location":"AFTER_HEAD"},"js_insertion_rules":{"exclude_list":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}],"rules":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"javascript_location":"AFTER_HEAD","metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}]},"mobile_sdk_config":{"mobile_identifier":{"headers":[{"check_not_present":{},"check_present":{},"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}]}},"protected_app_endpoints":[{"allow_good_bots":{},"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"flow_label":{"account_management":{"create":{},"password_reset":{}},"authentication":{"login":{"disable_transaction_result":{},"transaction_result":{"failure_conditions":[{"name":"example","regex_values":["example"],"status":"EmptyStatusCode"}],"success_conditions":[{"name":"example","regex_values":["example"],"status":"EmptyStatusCode"}]}},"login_mfa":{},"login_partner":{},"logout":{},"token_refresh":{}},"financial_services":{"apply":{},"money_transfer":{}},"flight":{"checkin":{}},"profile_management":{"create":{},"update":{},"view":{}},"search":{"flight_search":{},"product_search":{},"reservation_search":{},"room_search":{}},"shopping_gift_cards":{"gift_card_make_purchase_with_gift_card":{},"gift_card_validation":{},"shop_add_to_cart":{},"shop_checkout":{},"shop_choose_seat":{},"shop_enter_drawing_submission":{},"shop_make_payment":{},"shop_order":{},"shop_price_inquiry":{},"shop_promo_code_validation":{},"shop_purchase_gift_card":{},"shop_update_quantity":{}}},"headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"http_methods":["METHOD_ANY"],"metadata":{"description":"example","name":"example"},"mitigate_good_bots":{},"mitigation":{"block":{"body":"example","status":"EmptyStatusCode"},"flag":{"append_headers":{"auto_type_header_name":"example","inference_header_name":"example"},"no_headers":{}},"redirect":{"uri":"example"}},"mobile":{},"path":{"path":"example","prefix":"example","regex":"example"},"protocol":"BOTH","query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}],"undefined_flow_label":{},"web":{},"web_mobile":{"mobile_identifier":"HEADERS"}}]},"regional_endpoint":"AUTO","timeout":1},"captcha_challenge":{"cookie_expiry":1,"custom_page":"example"},"client_side_defense":{"policy":{"disable_js_insert":{},"js_insert_all_pages":{},"js_insert_all_pages_except":{"exclude_list":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}]},"js_insertion_rules":{"exclude_list":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}],"rules":[{"any_domain":{},"domain":{"exact_value":"example","regex_value":"example","suffix_value":"example"},"metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"}}]}}},"cors_policy":{"allow_credentials":true,"allow_headers":"example","allow_methods":"example","allow_origin":["example"],"allow_origin_regex":["example"],"disabled":true,"expose_headers":"example","maximum_age":1},"csrf_policy":{"all_load_balancer_domains":{},"custom_domain_list":{"domains":["example"]},"disabled":{}},"custom_cache_rule":{"cdn_cache_rules":[{"name":"example","namespace":"example"}]},"data_guard_rules":[{"any_domain":{},"apply_data_guard":{},"exact_value":"example","metadata":{"description":"example","name":"example"},"path":{"path":"example","prefix":"example","regex":"example"},"skip_data_guard":{},"suffix_value":"example"}],"ddos_mitigation_rules":[{"block":{},"ddos_client_source":{"asn_list":{"as_numbers":[1]},"country_list":["COUNTRY_NONE"],"ja4_tls_fingerprint_matcher":{"exact_values":["example"]},"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]}},"expiration_timestamp":"2026-04-15T12:00:00Z","ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"metadata":{"description":"example","name":"example"}}],"default_cache_action":{"cache_disabled":{},"cache_ttl_default":"example","cache_ttl_override":"example"},"default_sensitive_data_policy":{},"disable_api_definition":{},"disable_api_discovery":{},"disable_client_side_defense":{},"disable_ip_reputation":{},"disable_malicious_user_detection":{},"disable_rate_limit":{},"disable_threat_mesh":{},"disable_waf":{},"domains":["example"],"enable_api_discovery":{"api_crawler":{"api_crawler_config":{"domains":[{"domain":"example","simple_login":{"password":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"user":"example"}}]},"disable_api_crawler":{}},"api_discovery_from_code_scan":{"code_base_integrations":[{"all_repos":{},"code_base_integration":{"name":"example","namespace":"example"},"selected_repos":{"api_code_repo":["example"]}}]},"custom_api_auth_discovery":{"api_discovery_ref":{"name":"example","namespace":"example"}},"default_api_auth_discovery":{},"disable_learn_from_redirect_traffic":{},"discovered_api_settings":{"purge_duration_for_inactive_discovered_apis":1},"enable_learn_from_redirect_traffic":{}},"enable_challenge":{"captcha_challenge_parameters":{"cookie_expiry":1,"custom_page":"example"},"default_captcha_challenge_parameters":{},"default_js_challenge_parameters":{},"default_mitigation_settings":{},"js_challenge_parameters":{"cookie_expiry":1,"custom_page":"example","js_script_delay":1},"malicious_user_mitigation":{"name":"example","namespace":"example"}},"enable_ip_reputation":{"ip_threat_categories":["SPAM_SOURCES"]},"enable_malicious_user_detection":{},"enable_threat_mesh":{},"graphql_rules":[{"any_domain":{},"exact_path":"example","exact_value":"example","graphql_settings":{"disable_introspection":{},"enable_introspection":{},"max_batched_queries":1,"max_depth":1,"max_total_length":1},"metadata":{"description":"example","name":"example"},"method_get":{},"method_post":{},"suffix_value":"example"}],"http":{"dns_volterra_managed":true,"port":1,"port_ranges":"example"},"https":{"add_hsts":true,"http_redirect":true,"tls_cert_options":{"tls_cert_params":{"certificates":[{"name":"example","namespace":"example"}],"no_mtls":{},"tls_config":{"custom_security":{"cipher_suites":["example"],"max_version":"TLS_AUTO","min_version":"TLS_AUTO"},"default_security":{},"low_security":{},"medium_security":{}},"use_mtls":{"client_certificate_optional":true,"crl":{"name":"example","namespace":"example"},"no_crl":{},"trusted_ca":{"name":"example","namespace":"example"},"trusted_ca_url":"example","xfcc_disabled":{},"xfcc_options":{"xfcc_header_elements":["XFCC_NONE"]}}},"tls_inline_params":{"no_mtls":{},"tls_certificates":[{"certificate_url":"example","custom_hash_algorithms":{"hash_algorithms":["INVALID_HASH_ALGORITHM"]},"description":"example","disable_ocsp_stapling":{},"private_key":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"use_system_defaults":{}}],"tls_config":{"custom_security":{"cipher_suites":["example"],"max_version":"TLS_AUTO","min_version":"TLS_AUTO"},"default_security":{},"low_security":{},"medium_security":{}},"use_mtls":{"client_certificate_optional":true,"crl":{"name":"example","namespace":"example"},"no_crl":{},"trusted_ca":{"name":"example","namespace":"example"},"trusted_ca_url":"example","xfcc_disabled":{},"xfcc_options":{"xfcc_header_elements":["XFCC_NONE"]}}}}},"https_auto_cert":{"add_hsts":true,"http_redirect":true,"tls_config":{"tls_11_plus":{},"tls_12_plus":{}}},"js_challenge":{"cookie_expiry":1,"custom_page":"example","js_script_delay":1},"jwt_validation":{"action":{"block":{},"report":{}},"jwks_config":{"cleartext":"example"},"mandatory_claims":{"claim_names":["example"]},"reserved_claims":{"audience":{"audiences":["example"]},"audience_disable":{},"issuer":"example","issuer_disable":{},"validate_period_disable":{},"validate_period_enable":{}},"target":{"all_endpoint":{},"api_groups":{"api_groups":["example"]},"base_paths":{"base_paths":["example"]}},"token_location":{"bearer_token":{}},"authorization_server":{"authorization_servers":[{"name":"example","namespace":"example"}]}},"l7_ddos_action_block":{},"l7_ddos_action_default":{},"l7_ddos_action_js_challenge":{"cookie_expiry":1,"custom_page":"example","js_script_delay":1},"no_challenge":{},"no_service_policies":{},"origin_pool":{"more_origin_options":{"enable_byte_range_request":true,"websocket_proxy":true},"no_tls":{},"origin_request_timeout":"example","origin_servers":[{"port":1,"public_ip":{"ip":"example"},"public_name":{"dns_name":"example","refresh_interval":1}}],"public_name":{"dns_name":"example","refresh_interval":1},"use_tls":{"default_session_key_caching":{},"disable_session_key_caching":{},"disable_sni":{},"max_session_keys":1,"no_mtls":{},"skip_server_verification":{},"sni":"example","tls_config":{"custom_security":{"cipher_suites":["example"],"max_version":"TLS_AUTO","min_version":"TLS_AUTO"},"default_security":{},"low_security":{},"medium_security":{}},"use_host_header_as_sni":{},"use_mtls":{"tls_certificates":[{"certificate_url":"example","custom_hash_algorithms":{"hash_algorithms":["INVALID_HASH_ALGORITHM"]},"description":"example","disable_ocsp_stapling":{},"private_key":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"use_system_defaults":{}}]},"use_mtls_obj":{"name":"example","namespace":"example"},"use_server_verification":{"trusted_ca":{"name":"example","namespace":"example"},"trusted_ca_url":"example"},"volterra_trusted_ca":{}}},"other_settings":{"add_location":true,"header_options":{"request_headers_to_add":[{"append":true,"name":"example","secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"request_headers_to_remove":["example"],"response_headers_to_add":[{"append":true,"name":"example","secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"response_headers_to_remove":["example"]},"logging_options":{"client_log_options":{"header_list":["example"]},"origin_log_options":{"header_list":["example"]}}},"policy_based_challenge":{"always_enable_captcha_challenge":{},"always_enable_js_challenge":{},"captcha_challenge_parameters":{"cookie_expiry":1,"custom_page":"example"},"default_captcha_challenge_parameters":{},"default_js_challenge_parameters":{},"default_mitigation_settings":{},"default_temporary_blocking_parameters":{},"js_challenge_parameters":{"cookie_expiry":1,"custom_page":"example","js_script_delay":1},"malicious_user_mitigation":{"name":"example","namespace":"example"},"no_challenge":{},"rule_list":{"rules":[{"metadata":{"description":"example","name":"example"},"spec":{"any_asn":{},"any_client":{},"any_ip":{},"arg_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"asn_list":{"as_numbers":[1]},"asn_matcher":{"asn_sets":[{"name":"example","namespace":"example"}]},"body_matcher":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"client_selector":{"expressions":["example"]},"cookie_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"disable_challenge":{},"domain_matcher":{"exact_values":["example"],"regex_values":["example"]},"enable_captcha_challenge":{},"enable_javascript_challenge":{},"expiration_timestamp":"2026-04-15T12:00:00Z","headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"http_method":{"invert_matcher":true,"methods":["ANY"]},"ip_matcher":{"invert_matcher":true,"prefix_sets":[{"name":"example","namespace":"example"}]},"ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"path":{"exact_values":["example"],"invert_matcher":true,"prefix_values":["example"],"regex_values":["example"],"suffix_values":["example"],"transformers":["LOWER_CASE"]},"query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}],"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]}}}]},"temporary_user_blocking":{"custom_page":"example"}},"protected_cookies":[{"add_httponly":{},"add_secure":{},"disable_tampering_protection":{},"enable_tampering_protection":{},"ignore_httponly":{},"ignore_max_age":{},"ignore_samesite":{},"ignore_secure":{},"max_age_value":1,"name":"example","samesite_lax":{},"samesite_none":{},"samesite_strict":{}}],"rate_limit":{"custom_ip_allowed_list":{"rate_limiter_allowed_prefixes":[{"name":"example","namespace":"example"}]},"ip_allowed_list":{"prefixes":["example"]},"no_ip_allowed_list":{},"no_policies":{},"policies":{"policies":[{"name":"example","namespace":"example"}]},"rate_limiter":{"action_block":{"hours":{"duration":1},"minutes":{"duration":1},"seconds":{"duration":1}},"burst_multiplier":1,"disabled":{},"leaky_bucket":{},"period_multiplier":0,"token_bucket":{},"total_number":1,"unit":"SECOND"}},"sensitive_data_policy":{"sensitive_data_policy_ref":{"name":"example","namespace":"example"}},"service_policies_from_namespace":{},"slow_ddos_mitigation":{"disable_request_timeout":{},"request_headers_timeout":1,"request_timeout":1},"system_default_timeouts":{},"trusted_clients":[{"actions":["SKIP_PROCESSING_WAF"],"as_number":1,"bot_skip_processing":{},"expiration_timestamp":"2026-04-15T12:00:00Z","http_header":{"headers":[{"exact":"example","invert_match":true,"name":"example","presence":true,"regex":"example"}]},"ip_prefix":"example","ipv6_prefix":"example","metadata":{"description":"example","name":"example"},"skip_processing":{},"user_identifier":"example","waf_skip_processing":{}}],"user_id_client_ip":{},"user_identification":{"name":"example","namespace":"example"},"waf_exclusion":{"waf_exclusion_inline_rules":{"rules":[{"any_domain":{},"any_path":{},"app_firewall_detection_control":{"exclude_attack_type_contexts":[{"context":"CONTEXT_ANY","context_name":"example","exclude_attack_type":"ATTACK_TYPE_NONE"}],"exclude_bot_name_contexts":[{"bot_name":"example"}],"exclude_signature_contexts":[{"context":"CONTEXT_ANY","context_name":"example","signature_id":1}],"exclude_violation_contexts":[{"context":"CONTEXT_ANY","context_name":"example","exclude_violation":"VIOL_NONE"}]},"exact_value":"example","expiration_timestamp":"2026-04-15T12:00:00Z","metadata":{"description":"example","name":"example"},"methods":["ANY"],"path_prefix":"example","path_regex":"example","suffix_value":"example","waf_skip_processing":{}}]},"waf_exclusion_policy":{"name":"example","namespace":"example"}}}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/cdn_loadbalancers \ --header 'Authorization: <Authorization>' \ --header 'Content-Type: application/json' \ --data '{ "metadata": { "annotations": {}, "description": "example", "disable": true, "labels": {}, "name": "example", "namespace": "example" }, "spec": { "active_service_policies": { "policies": [ { "name": "example", "namespace": "example" } ] }, "api_rate_limit": { "api_endpoint_rules": [ { "any_domain": {}, "api_endpoint_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "api_endpoint_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "inline_rate_limiter": { "ref_user_id": { "name": "example", "namespace": "example" }, "threshold": 1, "unit": "SECOND", "use_http_lb_user_id": {} }, "ref_rate_limiter": { "name": "example", "namespace": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ], "bypass_rate_limiting_rules": { "bypass_rate_limiting_rules": [ { "any_domain": {}, "any_url": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_groups": { "api_groups": [ "example" ] }, "base_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ] }, "custom_ip_allowed_list": { "rate_limiter_allowed_prefixes": [ { "name": "example", "namespace": "example" } ] }, "ip_allowed_list": { "prefixes": [ "example" ] }, "no_ip_allowed_list": {}, "server_url_rules": [ { "any_domain": {}, "api_group": "example", "base_path": "example", "client_matcher": { "any_client": {}, "any_ip": {}, "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "client_selector": { "expressions": [ "example" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "inline_rate_limiter": { "ref_user_id": { "name": "example", "namespace": "example" }, "threshold": 1, "unit": "SECOND", "use_http_lb_user_id": {} }, "ref_rate_limiter": { "name": "example", "namespace": "example" }, "request_matcher": { "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ] }, "specific_domain": "example" } ] }, "api_specification": { "api_definition": { "name": "example", "namespace": "example" }, "validation_all_spec_endpoints": { "fall_through_mode": { "fall_through_mode_allow": {}, "fall_through_mode_custom": { "open_api_validation_rules": [ { "action_block": {}, "action_report": {}, "action_skip": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" } } ] } }, "settings": { "oversized_body_fail_validation": {}, "oversized_body_skip_validation": {}, "property_validation_settings_custom": { "queryParameters": { "allow_additional_parameters": {}, "disallow_additional_parameters": {} } }, "property_validation_settings_default": {} }, "validation_mode": { "response_validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "skip_response_validation": {}, "skip_validation": {}, "validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } }, "validation_custom_list": { "fall_through_mode": { "fall_through_mode_allow": {}, "fall_through_mode_custom": { "open_api_validation_rules": [ { "action_block": {}, "action_report": {}, "action_skip": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" } } ] } }, "open_api_validation_rules": [ { "any_domain": {}, "api_endpoint": { "methods": [ "ANY" ], "path": "example" }, "api_group": "example", "base_path": "example", "metadata": { "description": "example", "name": "example" }, "specific_domain": "example", "validation_mode": { "response_validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "skip_response_validation": {}, "skip_validation": {}, "validation_mode_active": { "enforcement_block": {}, "enforcement_report": {}, "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } } ], "settings": { "oversized_body_fail_validation": {}, "oversized_body_skip_validation": {}, "property_validation_settings_custom": { "queryParameters": { "allow_additional_parameters": {}, "disallow_additional_parameters": {} } }, "property_validation_settings_default": {} } }, "validation_disabled": {} }, "app_firewall": { "name": "example", "namespace": "example" }, "blocked_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ], "as_number": 1, "bot_skip_processing": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "http_header": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ] }, "ip_prefix": "example", "ipv6_prefix": "example", "metadata": { "description": "example", "name": "example" }, "skip_processing": {}, "user_identifier": "example", "waf_skip_processing": {} } ], "bot_defense": { "disable_cors_support": {}, "enable_cors_support": {}, "policy": { "disable_js_insert": {}, "disable_mobile_sdk": {}, "javascript_mode": "ASYNC_JS_NO_CACHING", "js_download_path": "example", "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "rules": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "javascript_location": "AFTER_HEAD", "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "check_not_present": {}, "check_present": {}, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ] } }, "protected_app_endpoints": [ { "allow_good_bots": {}, "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "flow_label": { "account_management": { "create": {}, "password_reset": {} }, "authentication": { "login": { "disable_transaction_result": {}, "transaction_result": { "failure_conditions": [ { "name": "example", "regex_values": [ "example" ], "status": "EmptyStatusCode" } ], "success_conditions": [ { "name": "example", "regex_values": [ "example" ], "status": "EmptyStatusCode" } ] } }, "login_mfa": {}, "login_partner": {}, "logout": {}, "token_refresh": {} }, "financial_services": { "apply": {}, "money_transfer": {} }, "flight": { "checkin": {} }, "profile_management": { "create": {}, "update": {}, "view": {} }, "search": { "flight_search": {}, "product_search": {}, "reservation_search": {}, "room_search": {} }, "shopping_gift_cards": { "gift_card_make_purchase_with_gift_card": {}, "gift_card_validation": {}, "shop_add_to_cart": {}, "shop_checkout": {}, "shop_choose_seat": {}, "shop_enter_drawing_submission": {}, "shop_make_payment": {}, "shop_order": {}, "shop_price_inquiry": {}, "shop_promo_code_validation": {}, "shop_purchase_gift_card": {}, "shop_update_quantity": {} } }, "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "http_methods": [ "METHOD_ANY" ], "metadata": { "description": "example", "name": "example" }, "mitigate_good_bots": {}, "mitigation": { "block": { "body": "example", "status": "EmptyStatusCode" }, "flag": { "append_headers": { "auto_type_header_name": "example", "inference_header_name": "example" }, "no_headers": {} }, "redirect": { "uri": "example" } }, "mobile": {}, "path": { "path": "example", "prefix": "example", "regex": "example" }, "protocol": "BOTH", "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ], "undefined_flow_label": {}, "web": {}, "web_mobile": { "mobile_identifier": "HEADERS" } } ] }, "regional_endpoint": "AUTO", "timeout": 1 }, "captcha_challenge": { "cookie_expiry": 1, "custom_page": "example" }, "client_side_defense": { "policy": { "disable_js_insert": {}, "js_insert_all_pages": {}, "js_insert_all_pages_except": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] }, "js_insertion_rules": { "exclude_list": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ], "rules": [ { "any_domain": {}, "domain": { "exact_value": "example", "regex_value": "example", "suffix_value": "example" }, "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" } } ] } } }, "cors_policy": { "allow_credentials": true, "allow_headers": "example", "allow_methods": "example", "allow_origin": [ "example" ], "allow_origin_regex": [ "example" ], "disabled": true, "expose_headers": "example", "maximum_age": 1 }, "csrf_policy": { "all_load_balancer_domains": {}, "custom_domain_list": { "domains": [ "example" ] }, "disabled": {} }, "custom_cache_rule": { "cdn_cache_rules": [ { "name": "example", "namespace": "example" } ] }, "data_guard_rules": [ { "any_domain": {}, "apply_data_guard": {}, "exact_value": "example", "metadata": { "description": "example", "name": "example" }, "path": { "path": "example", "prefix": "example", "regex": "example" }, "skip_data_guard": {}, "suffix_value": "example" } ], "ddos_mitigation_rules": [ { "block": {}, "ddos_client_source": { "asn_list": { "as_numbers": [ 1 ] }, "country_list": [ "COUNTRY_NONE" ], "ja4_tls_fingerprint_matcher": { "exact_values": [ "example" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } }, "expiration_timestamp": "2026-04-15T12:00:00Z", "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "metadata": { "description": "example", "name": "example" } } ], "default_cache_action": { "cache_disabled": {}, "cache_ttl_default": "example", "cache_ttl_override": "example" }, "default_sensitive_data_policy": {}, "disable_api_definition": {}, "disable_api_discovery": {}, "disable_client_side_defense": {}, "disable_ip_reputation": {}, "disable_malicious_user_detection": {}, "disable_rate_limit": {}, "disable_threat_mesh": {}, "disable_waf": {}, "domains": [ "example" ], "enable_api_discovery": { "api_crawler": { "api_crawler_config": { "domains": [ { "domain": "example", "simple_login": { "password": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "user": "example" } } ] }, "disable_api_crawler": {} }, "api_discovery_from_code_scan": { "code_base_integrations": [ { "all_repos": {}, "code_base_integration": { "name": "example", "namespace": "example" }, "selected_repos": { "api_code_repo": [ "example" ] } } ] }, "custom_api_auth_discovery": { "api_discovery_ref": { "name": "example", "namespace": "example" } }, "default_api_auth_discovery": {}, "disable_learn_from_redirect_traffic": {}, "discovered_api_settings": { "purge_duration_for_inactive_discovered_apis": 1 }, "enable_learn_from_redirect_traffic": {} }, "enable_challenge": { "captcha_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example" }, "default_captcha_challenge_parameters": {}, "default_js_challenge_parameters": {}, "default_mitigation_settings": {}, "js_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "malicious_user_mitigation": { "name": "example", "namespace": "example" } }, "enable_ip_reputation": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "enable_malicious_user_detection": {}, "enable_threat_mesh": {}, "graphql_rules": [ { "any_domain": {}, "exact_path": "example", "exact_value": "example", "graphql_settings": { "disable_introspection": {}, "enable_introspection": {}, "max_batched_queries": 1, "max_depth": 1, "max_total_length": 1 }, "metadata": { "description": "example", "name": "example" }, "method_get": {}, "method_post": {}, "suffix_value": "example" } ], "http": { "dns_volterra_managed": true, "port": 1, "port_ranges": "example" }, "https": { "add_hsts": true, "http_redirect": true, "tls_cert_options": { "tls_cert_params": { "certificates": [ { "name": "example", "namespace": "example" } ], "no_mtls": {}, "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_mtls": { "client_certificate_optional": true, "crl": { "name": "example", "namespace": "example" }, "no_crl": {}, "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example", "xfcc_disabled": {}, "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "tls_inline_params": { "no_mtls": {}, "tls_certificates": [ { "certificate_url": "example", "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] }, "description": "example", "disable_ocsp_stapling": {}, "private_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "use_system_defaults": {} } ], "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_mtls": { "client_certificate_optional": true, "crl": { "name": "example", "namespace": "example" }, "no_crl": {}, "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example", "xfcc_disabled": {}, "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } } } }, "https_auto_cert": { "add_hsts": true, "http_redirect": true, "tls_config": { "tls_11_plus": {}, "tls_12_plus": {} } }, "js_challenge": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "jwt_validation": { "action": { "block": {}, "report": {} }, "jwks_config": { "cleartext": "example" }, "mandatory_claims": { "claim_names": [ "example" ] }, "reserved_claims": { "audience": { "audiences": [ "example" ] }, "audience_disable": {}, "issuer": "example", "issuer_disable": {}, "validate_period_disable": {}, "validate_period_enable": {} }, "target": { "all_endpoint": {}, "api_groups": { "api_groups": [ "example" ] }, "base_paths": { "base_paths": [ "example" ] } }, "token_location": { "bearer_token": {} }, "authorization_server": { "authorization_servers": [ { "name": "example", "namespace": "example" } ] } }, "l7_ddos_action_block": {}, "l7_ddos_action_default": {}, "l7_ddos_action_js_challenge": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "no_challenge": {}, "no_service_policies": {}, "origin_pool": { "more_origin_options": { "enable_byte_range_request": true, "websocket_proxy": true }, "no_tls": {}, "origin_request_timeout": "example", "origin_servers": [ { "port": 1, "public_ip": { "ip": "example" }, "public_name": { "dns_name": "example", "refresh_interval": 1 } } ], "public_name": { "dns_name": "example", "refresh_interval": 1 }, "use_tls": { "default_session_key_caching": {}, "disable_session_key_caching": {}, "disable_sni": {}, "max_session_keys": 1, "no_mtls": {}, "skip_server_verification": {}, "sni": "example", "tls_config": { "custom_security": { "cipher_suites": [ "example" ], "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" }, "default_security": {}, "low_security": {}, "medium_security": {} }, "use_host_header_as_sni": {}, "use_mtls": { "tls_certificates": [ { "certificate_url": "example", "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] }, "description": "example", "disable_ocsp_stapling": {}, "private_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "use_system_defaults": {} } ] }, "use_mtls_obj": { "name": "example", "namespace": "example" }, "use_server_verification": { "trusted_ca": { "name": "example", "namespace": "example" }, "trusted_ca_url": "example" }, "volterra_trusted_ca": {} } }, "other_settings": { "add_location": true, "header_options": { "request_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_headers_to_remove": [ "example" ], "response_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_headers_to_remove": [ "example" ] }, "logging_options": { "client_log_options": { "header_list": [ "example" ] }, "origin_log_options": { "header_list": [ "example" ] } } }, "policy_based_challenge": { "always_enable_captcha_challenge": {}, "always_enable_js_challenge": {}, "captcha_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example" }, "default_captcha_challenge_parameters": {}, "default_js_challenge_parameters": {}, "default_mitigation_settings": {}, "default_temporary_blocking_parameters": {}, "js_challenge_parameters": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "malicious_user_mitigation": { "name": "example", "namespace": "example" }, "no_challenge": {}, "rule_list": { "rules": [ { "metadata": { "description": "example", "name": "example" }, "spec": { "any_asn": {}, "any_client": {}, "any_ip": {}, "arg_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "body_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "client_selector": { "expressions": [ "example" ] }, "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "disable_challenge": {}, "domain_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ] }, "enable_captcha_challenge": {}, "enable_javascript_challenge": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "http_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "path": { "exact_values": [ "example" ], "invert_matcher": true, "prefix_values": [ "example" ], "regex_values": [ "example" ], "suffix_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] } } } ] }, "temporary_user_blocking": { "custom_page": "example" } }, "protected_cookies": [ { "add_httponly": {}, "add_secure": {}, "disable_tampering_protection": {}, "enable_tampering_protection": {}, "ignore_httponly": {}, "ignore_max_age": {}, "ignore_samesite": {}, "ignore_secure": {}, "max_age_value": 1, "name": "example", "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {} } ], "rate_limit": { "custom_ip_allowed_list": { "rate_limiter_allowed_prefixes": [ { "name": "example", "namespace": "example" } ] }, "ip_allowed_list": { "prefixes": [ "example" ] }, "no_ip_allowed_list": {}, "no_policies": {}, "policies": { "policies": [ { "name": "example", "namespace": "example" } ] }, "rate_limiter": { "action_block": { "hours": { "duration": 1 }, "minutes": { "duration": 1 }, "seconds": { "duration": 1 } }, "burst_multiplier": 1, "disabled": {}, "leaky_bucket": {}, "period_multiplier": 0, "token_bucket": {}, "total_number": 1, "unit": "SECOND" } }, "sensitive_data_policy": { "sensitive_data_policy_ref": { "name": "example", "namespace": "example" } }, "service_policies_from_namespace": {}, "slow_ddos_mitigation": { "disable_request_timeout": {}, "request_headers_timeout": 1, "request_timeout": 1 }, "system_default_timeouts": {}, "trusted_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ], "as_number": 1, "bot_skip_processing": {}, "expiration_timestamp": "2026-04-15T12:00:00Z", "http_header": { "headers": [ { "exact": "example", "invert_match": true, "name": "example", "presence": true, "regex": "example" } ] }, "ip_prefix": "example", "ipv6_prefix": "example", "metadata": { "description": "example", "name": "example" }, "skip_processing": {}, "user_identifier": "example", "waf_skip_processing": {} } ], "user_id_client_ip": {}, "user_identification": { "name": "example", "namespace": "example" }, "waf_exclusion": { "waf_exclusion_inline_rules": { "rules": [ { "any_domain": {}, "any_path": {}, "app_firewall_detection_control": { "exclude_attack_type_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_attack_type": "ATTACK_TYPE_NONE" } ], "exclude_bot_name_contexts": [ { "bot_name": "example" } ], "exclude_signature_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "signature_id": 1 } ], "exclude_violation_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_violation": "VIOL_NONE" } ] }, "exact_value": "example", "expiration_timestamp": "2026-04-15T12:00:00Z", "metadata": { "description": "example", "name": "example" }, "methods": [ "ANY" ], "path_prefix": "example", "path_regex": "example", "suffix_value": "example", "waf_skip_processing": {} } ] }, "waf_exclusion_policy": { "name": "example", "namespace": "example" } } } }'Shape of the CDN loadbalancer specification.
Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Namespace This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
Request Bodyrequired
Section titled “Request Bodyrequired”This is the input message of the ‘Create’ RPC.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
object
object
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the current policy, then the policy takes effect, and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be denied by default.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.
object
object
object
Invert the match result.
List of methods values to match against.
The endpoint (path) of the request. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
object
Required: YES.
Exclusive with [any_url api_endpoint api_groups] The base path which this validation applies to.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow.
object
object
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.
Prefix of the request path. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
object
object
object
object
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Required: YES.
OpenAPI Validation Rule for a specific endpoint, base-path, or API group.
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
object
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Define rules to block IP Prefixes or AS numbers.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
object
object
object
object
Customize Bot Defense Client JavaScript path. If not specified, default /common.js
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Bot Defense client JavaScript.
Required: YES.
This defines a rule for Bot Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
Headers that can be used to identify mobile traffic.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs.
Required: YES.
Application Endpoint.
object
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
object
object
object
object
object
object
Failure Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
Success Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of HTTP methods.
Required: YES.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
Custom body message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Your request was blocked” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Your request was blocked
”. Base64 encoded string for this HTML is “LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==”object
object
A case-insensitive HTTP header name. Required: YES.
A case-insensitive HTTP header name. Required: YES.
object
object
URI location for redirect may be relative or absolute. Required: YES.
object
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
object
object
The timeout for the inference check, in milliseconds.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Client-Side Defense client JavaScript.
Required: YES.
This defines a rule for Client-Side Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
object
Reference to CDN Cache Rule configuration object.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*). Note: App Firewall should be enabled, to use Data Guard feature.
Simple Data Guard rule specifies a simple set of match conditions to enable data guard protection.
object
object
object
Exclusive with [any_domain suffix_value] Exact domain name.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Define manual mitigation rules to block L7 DDoS attacks.
DDoS Mitigation Rule specifies the sources to be blocked.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
Sources that are located in one of the countries in the given list.
object
A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Invert the match result.
List of IPv4 prefix strings.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
Exclusive with [cache_disabled cache_ttl_override] Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided.
Exclusive with [cache_disabled cache_ttl_default] Always override the Cahce TTL provided by Origin.
object
object
object
object
object
object
object
object
object
A list of fully qualified domain names. The CDN Distribution will be setup for these FQDN name(s). [This can be a domain or a sub-domain] Required: YES.
object
object
object
Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.
Required: YES.
The DomainConfiguration message.
object
Select the domain to execute API Crawling with given credentials.
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Enter the username to assign credentials for the selected domain to crawl.
object
object
Required: YES.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Code repository which contain API endpoints
Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Inactive discovered API will be deleted after configured duration.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied.
Required: YES.
object
object
GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy configuration to analyze GraphQL queries and prevent GraphQL tailored attacks.
This section defines various configuration OPTIONS for GraphQL inspection.
object
object
Specifies the exact path to GraphQL endpoint. Default value is /graphql. Required: YES.
Exclusive with [any_domain suffix_value] Exact domain name.
object
object
object
Specify maximum number of queries in a single batched request. Required: YES.
Specify maximum depth for the GraphQL query. Required: YES.
Specify maximum length in bytes for the GraphQL query. Required: YES.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal.
Exclusive with [port_ranges] HTTP port to Listen.
Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
object
Add HTTP Strict-Transport-Security response header.
Redirect HTTP traffic to HTTPS.
object
object
Select one or more certificates with any domain names.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
object
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
Add HTTP Strict-Transport-Security response header.
Redirect HTTP traffic to HTTPS.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
object
object
object
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.
object
Human-readable name for the resource
object
object
Required: YES.
object
Exclusive with [issuer_disable]
object
object
object
object
object
object
Required: YES.
object
Required: YES.
object
object
object
Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
object
object
Choice to enable/disable byte range requests towards origin.
Option to enable proxying of websocket connections to the origin server.
object
Configures the time after which a request to the origin will time out waiting for a response.
List of original servers
Required: YES.
Various OPTIONS to specify origin server.
object
Port the workload can be reached on.
object
Exclusive with [] Public IPv4 address.
object
DNS Name Required: YES.
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
DNS Name Required: YES.
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
object
object
object
Exclusive with [default_session_key_caching disable_session_key_caching]
Number of session keys that are cached.
object
object
Exclusive with [disable_sni use_host_header_as_sni] SNI value to be used.
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
object
MTLS Client Certificate
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate.
object
object
X-example: true
Appends header x-F5 Distributed Cloud-location =
object
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
object
object
List of headers.
object
List of headers.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions.
Challenge rule.
object
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
A list of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name. Note that all specified arg matcher predicates must evaluate to true.
A argument matcher specifies the name of a single argument in the body and the criteria to match it. A argument matcher can check for one of the following:
- Presence or absence of the argument
- At least one of the values for the argument in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive JSON path in the HTTP request body. Required: YES.
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
object
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
object
Invert the match result.
List of methods values to match against.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
A list of exact path values to match the input HTTP path against.
Invert the match result.
A list of path prefix values to match the input HTTP path against.
A list of regular expressions to match the input HTTP path against.
A list of path suffix values to match the input HTTP path against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
Custom message is of type uri_ref. Currently supported URL schemes is string:///.
For string:/// scheme, message needs to be encoded in Base64 format.
You can specify this message as base64 encoded plain text message e.g. “Blocked..”
or it can be HTML paragraph or a body string encoded as base64 string
E.g. ”
Blocked
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite. The configured mode of WAF (monitoring or blocking) will be enforced on the request when cookie tampering is identified. Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.
Set Cookie protection attributes.
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the Cookie Required: YES.
object
object
object
object
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
object
object
Ordered list of rate limiter policies.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Configuration parameter for duration
object
Configuration parameter for duration
object
Configuration parameter for duration
The maximum burst of requests to accommodate, expressed as a multiple of the rate.
object
object
This setting, combined with Per Period units, provides a duration.
object
The total number of allowed requests per rate-limiting period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.
Exclusive with [disable_request_timeout]
object
Define rules to skip processing of one or more features such as WAF, Bot Defense etc. For clients.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
An ordered list of WAF Exclusions specific to this Load Balancer.
Simple WAF exclusion rule specifies a simple set of match conditions to be matched to skip a list of WAF detections.
object
object
object
object
Attack Types to be excluded for the defined match criteria.
App Firewall Attack Type context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Bot Names to be excluded for the defined match criteria.
Specifies bot to be excluded by its name.
object
Required: YES.
Signature IDs to be excluded for the defined match criteria.
App Firewall signature context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
The allowed values for signature ID are 0 and in the range of 200000001-299999999. 0 implies that all signatures will be excluded for the specified context. Required: YES.
Violations to be excluded for the defined match criteria.
App Firewall violation context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Exclusive with [any_domain suffix_value] Exact domain name.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Methods to be matched.
Exclusive with [any_path path_regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [any_path path_prefix] Define the regex for the path. For example, the regex ^/.*$ will match on all paths.
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Responses
Section titled “Responses”A successful response.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
object
object
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its characteristics are evaluated based on the match criteria in each service policy starting at the top. If there is a match in the current policy, then the policy takes effect, and no more policies are evaluated. Otherwise, the next policy is evaluated. If all policies are evaluated and none match, then the request will be denied by default.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Sets of rules for a specific endpoints. Order is matter as it uses first match policy. For creating rule that contain a whole domain or group of endpoints, please use the server URL rules above.
object
object
object
Invert the match result.
List of methods values to match against.
The endpoint (path) of the request. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
This category defines rules per URL or API group. If request matches any of these rules, skip Rate Limiting.
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
object
Required: YES.
Exclusive with [any_url api_endpoint api_groups] The base path which this validation applies to.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
Set of rules for entire domain or base path that contain multiple endpoints. Order is matter as it uses first match policy. For matching also specific endpoints you can use the API endpoint rules set bellow.
object
object
API groups derived from API Definition swaggers. For example oas-all-operations including all paths and methods from the swaggers, oas-base-URLs covering all requests under base-paths from the swaggers. Custom groups can be created if user tags paths or operations with “x-F5 Distributed Cloud-API-group” extensions inside swaggers.
Prefix of the request path. Required: YES.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
The total number of allowed requests for 1 unit (e.g. SECOND/MINUTE/HOUR etc.) of the specified period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
object
object
object
object
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
Required: YES.
Fall Through Rule for a specific endpoint, base-path, or API group.
object
object
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Required: YES.
OpenAPI Validation Rule for a specific endpoint, base-path, or API group.
object
object
object
Methods to be matched.
Path to be matched Required: YES.
Exclusive with [api_endpoint base_path] The API group which this validation applies to.
Exclusive with [api_endpoint api_group] The base path which this validation applies to.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Exclusive with [any_domain] The rule will apply for a specific domain.
object
object
object
object
List of properties of the response to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
List of properties of the request to validate according to the OpenAPI specification file (a.k.a. Swagger)
Required: YES.
object
object
object
object
object
object
object
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Auto certificate expiry timestamp.
Issuer of the auto certificate.
Subject of the auto certificate.
DNS Records that are to be added by user in their DNS domain. Currently, this will be populated when auto certificates are desired but DNS delegation is not enabled.
Defines a DNS record.
object
Name of the DNS record.
Type of the DNS record.
DNS record Value.
Define rules to block IP Prefixes or AS numbers.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
object
object
object
object
Customize Bot Defense Client JavaScript path. If not specified, default /common.js
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Bot Defense client JavaScript.
Required: YES.
This defines a rule for Bot Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
object
Headers that can be used to identify mobile traffic.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of protected endpoints. Limit: Approx ‘128 endpoints per Load Balancer (LB)’ upto 4 LBs, ‘32 endpoints per LB’ after 4 LBs.
Required: YES.
Application Endpoint.
object
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
object
object
object
object
object
object
Failure Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
Success Conditions.
Bot Defense Transaction Result Condition.
object
A case-insensitive HTTP header name.
A list of regular expressions to match the input against.
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
object
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
List of HTTP methods.
Required: YES.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
Custom body message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Your request was blocked” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Your request was blocked
”. Base64 encoded string for this HTML is “LzxwPiBZb3VyIHJlcXVlc3Qgd2FzIGJsb2NrZWQgPC9wPg==”object
object
A case-insensitive HTTP header name. Required: YES.
A case-insensitive HTTP header name. Required: YES.
object
object
URI location for redirect may be relative or absolute. Required: YES.
object
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
object
object
The timeout for the inference check, in milliseconds.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Optional JavaScript insertions exclude list of domain and path matchers.
Define JavaScript insertion exclusion rule.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
Required list of pages to insert Client-Side Defense client JavaScript.
Required: YES.
This defines a rule for Client-Side Defense JavaScript insertion.
object
object
object
Exclusive with [regex_value suffix_value] Exact domain name.
Exclusive with [exact_value suffix_value] Regular Expression value for the domain name.
Exclusive with [exact_value regex_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
object
Reference to CDN Cache Rule configuration object.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Data Guard prevents responses from exposing sensitive information by masking the data. The system masks credit card numbers and social security numbers leaked from the application from within the HTTP response with a string of asterisks (*). Note: App Firewall should be enabled, to use Data Guard feature.
Simple Data Guard rule specifies a simple set of match conditions to enable data guard protection.
object
object
object
Exclusive with [any_domain suffix_value] Exact domain name.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [prefix regex] Exact path value to match.
Exclusive with [path regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [path prefix] Regular expression of path match (e.g. The value .* will match on all paths)
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Define manual mitigation rules to block L7 DDoS attacks.
DDoS Mitigation Rule specifies the sources to be blocked.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
Sources that are located in one of the countries in the given list.
object
A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Invert the match result.
List of IPv4 prefix strings.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
Exclusive with [cache_disabled cache_ttl_override] Use Cache TTL Provided by Origin, and set a contigency TTL value in case one is not provided.
Exclusive with [cache_disabled cache_ttl_default] Always override the Cahce TTL provided by Origin.
object
object
object
object
object
object
object
object
object
DNS information for this virtual host.
A message that contains DNS information for a given IP address.
object
IP address associated with virtual host.
A list of fully qualified domain names. The CDN Distribution will be setup for these FQDN name(s). [This can be a domain or a sub-domain] Required: YES.
object
object
object
Enter domains and their credentials to allow authenticated API crawling. You can only include domains you own that are associated with this Load Balancer.
Required: YES.
The DomainConfiguration message.
object
Select the domain to execute API Crawling with given credentials.
Required: YES.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Enter the username to assign credentials for the selected domain to crawl.
object
object
Required: YES.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
Code repository which contain API endpoints
Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Inactive discovered API will be deleted after configured duration.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
If the source IP matches on atleast one of the enabled IP threat categories, the request will be denied.
Required: YES.
object
object
GraphQL is a query language and server-side runtime for APIs which provides a complete and understandable description of the data in API. GraphQL gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools. Policy configuration to analyze GraphQL queries and prevent GraphQL tailored attacks.
This section defines various configuration OPTIONS for GraphQL inspection.
object
object
Specifies the exact path to GraphQL endpoint. Default value is /graphql. Required: YES.
Exclusive with [any_domain suffix_value] Exact domain name.
object
object
object
Specify maximum number of queries in a single batched request. Required: YES.
Specify maximum depth for the GraphQL query. Required: YES.
Specify maximum length in bytes for the GraphQL query. Required: YES.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
Internally generated host name to be used for the virtual host.
object
DNS records for domains will be managed automatically by F5 Distributed Cloud. As a prerequisite, the domain must be delegated to F5 Distributed Cloud using Delegated domain feature or a DNS CNAME record should be created in your DNS provider’s portal.
Exclusive with [port_ranges] HTTP port to Listen.
Exclusive with [port] A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ”-”.
object
Add HTTP Strict-Transport-Security response header.
Redirect HTTP traffic to HTTPS.
object
object
Select one or more certificates with any domain names.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
object
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated. If the client does not provide a certificate, the connection will be accepted.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Load Balancer.
object
object
X-Forwarded-Client-Cert header elements to be added to requests
Required: YES.
object
Add HTTP Strict-Transport-Security response header.
Redirect HTTP traffic to HTTPS.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
object
object
object
The JSON Web Key Set (JWKS) is a set of keys used to verify JSON Web Token (JWT) issued by the Authorization Server. See RFC 7517 for more details.
object
Human-readable name for the resource
object
object
Required: YES.
object
Exclusive with [issuer_disable]
object
object
object
object
object
object
Required: YES.
object
Required: YES.
object
object
object
Authorization Servers are configured separately in the ‘Shared Objects’ section of the Web App & API Protection workspace and used to fetch JWKS for JWT validation.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
object
object
Choice to enable/disable byte range requests towards origin.
Option to enable proxying of websocket connections to the origin server.
object
Configures the time after which a request to the origin will time out waiting for a response.
List of original servers
Required: YES.
Various OPTIONS to specify origin server.
object
Port the workload can be reached on.
object
Exclusive with [] Public IPv4 address.
object
DNS Name Required: YES.
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
DNS Name Required: YES.
Interval for DNS refresh in seconds. Max value is 7 days as per https://datatracker.ietf.org/doc/HTML/rfc8767.
object
object
object
object
Exclusive with [default_session_key_caching disable_session_key_caching]
Number of session keys that are cached.
object
object
Exclusive with [disable_sni use_host_header_as_sni] SNI value to be used.
object
object
The TLS listener will only support the specified cipher list. Required: YES.
object
object
object
object
object
MTLS Client Certificate
Required: YES.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Exclusive with [trusted_ca] Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate.
object
object
X-example: true
Appends header x-F5 Distributed Cloud-location =
object
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
object
object
List of headers.
object
List of headers.
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
Rules that specify the match conditions and challenge type to be launched. When a challenge type is selected to be always enabled, these rules can be used to disable challenge or launch a different challenge for requests that match the specified conditions.
Challenge rule.
object
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
A list of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name. Note that all specified arg matcher predicates must evaluate to true.
A argument matcher specifies the name of a single argument in the body and the criteria to match it. A argument matcher can check for one of the following:
- Presence or absence of the argument
- At least one of the values for the argument in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive JSON path in the HTTP request body. Required: YES.
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
object
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
object
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
object
Invert the match result.
List of methods values to match against.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
A list of exact path values to match the input HTTP path against.
Invert the match result.
A list of path prefix values to match the input HTTP path against.
A list of regular expressions to match the input HTTP path against.
A list of path suffix values to match the input HTTP path against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
Custom message is of type uri_ref. Currently supported URL schemes is string:///.
For string:/// scheme, message needs to be encoded in Base64 format.
You can specify this message as base64 encoded plain text message e.g. “Blocked..”
or it can be HTML paragraph or a body string encoded as base64 string
E.g. ”
Blocked
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Allows setting attributes (SameSite, Secure, and HttpOnly) on cookies in responses. Cookie Tampering Protection prevents attackers from modifying the value of session cookies. For Cookie Tampering Protection, enabling a web app firewall (WAF) is a prerequisite. The configured mode of WAF (monitoring or blocking) will be enforced on the request when cookie tampering is identified. Note: We recommend enabling Secure and HttpOnly attributes along with cookie tampering protection.
Set Cookie protection attributes.
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the Cookie Required: YES.
object
object
object
object
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
object
object
object
Ordered list of rate limiter policies.
Required: YES.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
Configuration parameter for duration
object
Configuration parameter for duration
object
Configuration parameter for duration
The maximum burst of requests to accommodate, expressed as a multiple of the rate.
object
object
This setting, combined with Per Period units, provides a duration.
object
The total number of allowed requests per rate-limiting period. Required: YES.
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
CNAME provided from service per domain.
object
Domain Name.
Service Domain.
object
object
object
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.
Exclusive with [disable_request_timeout]
object
Define rules to skip processing of one or more features such as WAF, Bot Defense etc. For clients.
Simple client source rule specifies the sources to be blocked or trusted (skip WAF)
object
Actions that should be taken when client identifier matches the rule.
Exclusive with [http_header ip_prefix ipv6_prefix user_identifier] RFC 6793 defined 4-byte AS number.
object
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
List of HTTP header name and value pairs
Required: YES.
Header match is done using the name of the header and its value. The value match is done using one of the following regex match on value exact match of value presence of header
Header Match can also be inverse of above, which be used to check missing header or non-matching value.
object
Exclusive with [presence regex] Header value to match exactly.
Invert the result of the match to detect missing header or non-matching value.
Name of the header Required: YES.
Exclusive with [exact regex] If true, check for presence of header.
Exclusive with [exact presence] Regex match of the header value in re2 format.
Exclusive with [as_number http_header ipv6_prefix user_identifier] IPv4 prefix string.
Exclusive with [as_number http_header ip_prefix user_identifier] IPv6 prefix string.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
Exclusive with [as_number http_header ip_prefix ipv6_prefix] Identify user based on user identifier. User identifier value needs to be copied from security event.
object
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
An ordered list of WAF Exclusions specific to this Load Balancer.
Simple WAF exclusion rule specifies a simple set of match conditions to be matched to skip a list of WAF detections.
object
object
object
object
Attack Types to be excluded for the defined match criteria.
App Firewall Attack Type context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Bot Names to be excluded for the defined match criteria.
Specifies bot to be excluded by its name.
object
Required: YES.
Signature IDs to be excluded for the defined match criteria.
App Firewall signature context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
The allowed values for signature ID are 0 and in the range of 200000001-299999999. 0 implies that all signatures will be excluded for the specified context. Required: YES.
Violations to be excluded for the defined match criteria.
App Firewall violation context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Exclusive with [any_domain suffix_value] Exact domain name.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
Methods to be matched.
Exclusive with [any_path path_regex] Path prefix to match (e.g. The value / will match on all paths)
Exclusive with [any_path path_prefix] Define the regex for the path. For example, the regex ^/.*$ will match on all paths.
Exclusive with [any_domain exact_value] Suffix of domain name e.g “xyz.com” will match “*.xyz.com” and “xyz.com”
object
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
A value identifying the class of the user or service which created this configuration object.
A value identifying the exact user or service that created this configuration object.
DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
Populated by the system when a graceful deletion is requested. Read-only.
Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
object
Pending is a list of initializers that must execute in order before this object is initialized. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.
Initializer is information about an initializer that has not yet completed.
object
Name of the service that is responsible for initializing this object.
object
Suggested HTTP return code for this status, 0 if not set.
A human-readable description of why this operation is in the “Failure” status. If this value is empty there is no information available.
Status of the operation. One of: “Success” or “Failure”.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the operator or software. Values here can be interpreted by software(backend or frontend) to enable certain behavior e.g. Things marked as soft-deleted(restorable).
object
ModificationTimestamp is a timestamp representing the server time when this object was last modified.
Unique index for the object. Some objects need a unique integer index to be allocated for each object type. This field will be populated for all objects that need it and will be zero otherwise.
object
Kind of the view object.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
UID of the view object.
Tenant to which this configuration object belongs to. The value for this is found from presented credentials.
Uid is the unique in time and space value for this object. It is generated by the server on successful creation of an object and is not allowed to change on Replace API. The value of is taken from uid field of ObjectMetaType, if provided.
Example
{ "spec": { "api_rate_limit": { "api_endpoint_rules": [ { "api_endpoint_method": { "methods": [ "ANY" ] }, "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "inline_rate_limiter": { "unit": "SECOND" }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ], "bypass_rate_limiting_rules": { "bypass_rate_limiting_rules": [ { "api_endpoint": { "methods": [ "ANY" ] }, "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ] }, "server_url_rules": [ { "client_matcher": { "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } }, "inline_rate_limiter": { "unit": "SECOND" }, "request_matcher": { "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "jwt_claims": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } } ] }, "api_specification": { "validation_all_spec_endpoints": { "fall_through_mode": { "fall_through_mode_custom": { "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] } } ] } }, "validation_mode": { "response_validation_mode_active": { "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "validation_mode_active": { "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } }, "validation_custom_list": { "fall_through_mode": { "fall_through_mode_custom": { "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] } } ] } }, "open_api_validation_rules": [ { "api_endpoint": { "methods": [ "ANY" ] }, "validation_mode": { "response_validation_mode_active": { "response_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] }, "validation_mode_active": { "request_validation_properties": [ "PROPERTY_QUERY_PARAMETERS" ] } } } ] } }, "auto_cert_info": { "auto_cert_state": "AutoCertDisabled" }, "blocked_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ] } ], "bot_defense": { "policy": { "javascript_mode": "ASYNC_JS_NO_CACHING", "js_insert_all_pages": { "javascript_location": "AFTER_HEAD" }, "js_insert_all_pages_except": { "javascript_location": "AFTER_HEAD" }, "js_insertion_rules": { "rules": [ { "javascript_location": "AFTER_HEAD" } ] }, "mobile_sdk_config": { "mobile_identifier": { "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ] } }, "protected_app_endpoints": [ { "flow_label": { "authentication": { "login": { "transaction_result": { "failure_conditions": [ { "status": "EmptyStatusCode" } ], "success_conditions": [ { "status": "EmptyStatusCode" } ] } } } }, "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "http_methods": [ "METHOD_ANY" ], "mitigation": { "block": { "status": "EmptyStatusCode" } }, "protocol": "BOTH", "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "web_mobile": { "mobile_identifier": "HEADERS" } } ] }, "regional_endpoint": "AUTO" }, "cert_state": "AutoCertDisabled", "ddos_mitigation_rules": [ { "ddos_client_source": { "country_list": [ "COUNTRY_NONE" ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } } } ], "enable_ip_reputation": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "https": { "tls_cert_options": { "tls_cert_params": { "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_mtls": { "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } }, "tls_inline_params": { "tls_certificates": [ { "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] } } ], "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_mtls": { "xfcc_options": { "xfcc_header_elements": [ "XFCC_NONE" ] } } } } }, "origin_pool": { "use_tls": { "default_session_key_caching": {}, "no_mtls": {}, "tls_config": { "custom_security": { "max_version": "TLS_AUTO", "min_version": "TLS_AUTO" } }, "use_host_header_as_sni": {}, "use_mtls": { "tls_certificates": [ { "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] } } ] }, "volterra_trusted_ca": {} } }, "policy_based_challenge": { "rule_list": { "rules": [ { "spec": { "arg_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "body_matcher": { "transformers": [ "LOWER_CASE" ] }, "cookie_matchers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "headers": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "http_method": { "methods": [ "ANY" ] }, "path": { "transformers": [ "LOWER_CASE" ] }, "query_params": [ { "item": { "transformers": [ "LOWER_CASE" ] } } ], "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ] } } } ] } }, "rate_limit": { "no_ip_allowed_list": {}, "no_policies": {}, "rate_limiter": { "period_multiplier": 0, "unit": "SECOND" } }, "state": "VIRTUAL_HOST_READY", "trusted_clients": [ { "actions": [ "SKIP_PROCESSING_WAF" ] } ], "waf_exclusion": { "waf_exclusion_inline_rules": { "rules": [ { "app_firewall_detection_control": { "exclude_attack_type_contexts": [ { "context": "CONTEXT_ANY", "exclude_attack_type": "ATTACK_TYPE_NONE" } ], "exclude_signature_contexts": [ { "context": "CONTEXT_ANY" } ], "exclude_violation_contexts": [ { "context": "CONTEXT_ANY", "exclude_violation": "VIOL_NONE" } ] }, "methods": [ "ANY" ] } ] } } }}Returned when operation is not authorized.
Examplegenerated
exampleReturned when there is no permission to access resource.
Examplegenerated
exampleReturned when resource is not found.
Examplegenerated
exampleReturned when operation on resource is conflicting with current value.
Examplegenerated
exampleReturned when operation has been rejected as it is happening too frequently.
Examplegenerated
exampleReturned when server encountered an error in processing API.
Examplegenerated
exampleReturned when service is unavailable temporarily.
Examplegenerated
exampleReturned when server timed out processing request.
Examplegenerated
example