Create Virtual Host.
const url = 'https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/virtual_hosts';const options = { method: 'POST', headers: {Authorization: '<Authorization>', 'Content-Type': 'application/json'}, body: '{"metadata":{"annotations":{},"description":"example","disable":true,"labels":{},"name":"example","namespace":"example"},"spec":{"add_location":true,"advertise_policies":[{"name":"example","namespace":"example"}],"append_server_name":"example","authentication":{"auth_config":[{"name":"example","namespace":"example"}],"cookie_params":{"auth_hmac":{"prim_key":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"prim_key_expiry":"2026-04-15T12:00:00Z","sec_key":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"sec_key_expiry":"2026-04-15T12:00:00Z"},"cookie_expiry":1,"cookie_refresh_interval":1,"kms_key_hmac":{},"session_expiry":1},"redirect_dynamic":{},"redirect_url":"example","use_auth_object_config":{}},"buffer_policy":{"disabled":true,"max_request_bytes":1},"captcha_challenge":{"cookie_expiry":1,"custom_page":"example"},"coalescing_options":{"default_coalescing":{},"strict_coalescing":{}},"compression_params":{"content_length":1,"content_type":["example"],"disable_on_etag_header":true,"remove_accept_encoding_header":true},"connection_idle_timeout":1,"cors_policy":{"allow_credentials":true,"allow_headers":"example","allow_methods":"example","allow_origin":["example"],"allow_origin_regex":["example"],"disabled":true,"expose_headers":"example","maximum_age":1},"csrf_policy":{"all_load_balancer_domains":{},"custom_domain_list":{"domains":["example"]},"disabled":{}},"custom_errors":{},"default_header":{},"default_loadbalancer":{},"disable_default_error_pages":true,"disable_dns_resolve":true,"disable_path_normalize":{},"domains":["example"],"dynamic_reverse_proxy":{"connection_timeout":1,"resolution_network":[{"name":"example","namespace":"example"}],"resolution_network_type":"VIRTUAL_NETWORK_SITE_LOCAL","resolve_endpoint_dynamically":true},"enable_path_normalize":{},"http_protocol_options":{"http_protocol_enable_v1_only":{"header_transformation":{"default_header_transformation":{},"legacy_header_transformation":{},"preserve_case_header_transformation":{},"proper_case_header_transformation":{}}},"http_protocol_enable_v1_v2":{},"http_protocol_enable_v2_only":{}},"idle_timeout":1,"js_challenge":{"cookie_expiry":1,"custom_page":"example","js_script_delay":1},"max_request_header_size":1,"no_authentication":{},"no_challenge":{},"non_default_loadbalancer":{},"pass_through":{},"proxy":"UDP_PROXY","rate_limiter_allowed_prefixes":[{"name":"example","namespace":"example"}],"request_cookies_to_add":[{"name":"example","overwrite":true,"secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"request_cookies_to_remove":["example"],"request_headers_to_add":[{"append":true,"name":"example","secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"request_headers_to_remove":["example"],"response_cookies_to_add":[{"add_domain":"example","add_expiry":"example","add_httponly":{},"add_partitioned":{},"add_path":"example","add_secure":{},"ignore_domain":{},"ignore_expiry":{},"ignore_httponly":{},"ignore_max_age":{},"ignore_partitioned":{},"ignore_path":{},"ignore_samesite":{},"ignore_secure":{},"ignore_value":{},"max_age_value":1,"name":"example","overwrite":true,"samesite_lax":{},"samesite_none":{},"samesite_strict":{},"secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"response_cookies_to_remove":["example"],"response_headers_to_add":[{"append":true,"name":"example","secret_value":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"value":"example"}],"response_headers_to_remove":["example"],"retry_policy":{"back_off":{"base_interval":1,"max_interval":1},"num_retries":1,"per_try_timeout":1,"retriable_status_codes":[1],"retry_condition":["example"]},"routes":[{"name":"example","namespace":"example"}],"sensitive_data_policy":[{"name":"example","namespace":"example"}],"server_name":"example","slow_ddos_mitigation":{"disable_request_timeout":{},"request_headers_timeout":1,"request_timeout":1},"tls_cert_params":{"certificates":[{"name":"example","namespace":"example"}],"cipher_suites":["example"],"client_certificate_optional":{},"client_certificate_required":{},"maximum_protocol_version":"TLS_AUTO","minimum_protocol_version":"TLS_AUTO","no_client_certificate":{},"validation_params":{"skip_hostname_verification":true,"trusted_ca":{"trusted_ca_list":[{"name":"example","namespace":"example"}]},"trusted_ca_url":"example","verify_subject_alt_names":["example"]},"xfcc_header_elements":["XFCC_NONE"]},"tls_parameters":{"client_certificate_optional":{},"client_certificate_required":{},"common_params":{"cipher_suites":["example"],"maximum_protocol_version":"TLS_AUTO","minimum_protocol_version":"TLS_AUTO","tls_certificates":[{"certificate_url":"example","custom_hash_algorithms":{"hash_algorithms":["INVALID_HASH_ALGORITHM"]},"description":"example","disable_ocsp_stapling":{},"private_key":{"blindfold_secret_info":{"decryption_provider":"example","location":"example","store_provider":"example"},"clear_secret_info":{"provider":"example","url":"https://example.com"}},"use_system_defaults":{}}],"validation_params":{"skip_hostname_verification":true,"trusted_ca":{"trusted_ca_list":[{"name":"example","namespace":"example"}]},"trusted_ca_url":"example","verify_subject_alt_names":["example"]}},"no_client_certificate":{},"xfcc_header_elements":["XFCC_NONE"]},"user_identification":[{"name":"example","namespace":"example"}],"waf_type":{"app_firewall":{"app_firewall":[{"name":"example","namespace":"example"}]},"disable_waf":{},"inherit_waf":{}},"max_requests_per_connection":1,"no_request_limit_per_connection":{}}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/virtual_hosts \ --header 'Authorization: <Authorization>' \ --header 'Content-Type: application/json' \ --data '{ "metadata": { "annotations": {}, "description": "example", "disable": true, "labels": {}, "name": "example", "namespace": "example" }, "spec": { "add_location": true, "advertise_policies": [ { "name": "example", "namespace": "example" } ], "append_server_name": "example", "authentication": { "auth_config": [ { "name": "example", "namespace": "example" } ], "cookie_params": { "auth_hmac": { "prim_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "prim_key_expiry": "2026-04-15T12:00:00Z", "sec_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "sec_key_expiry": "2026-04-15T12:00:00Z" }, "cookie_expiry": 1, "cookie_refresh_interval": 1, "kms_key_hmac": {}, "session_expiry": 1 }, "redirect_dynamic": {}, "redirect_url": "example", "use_auth_object_config": {} }, "buffer_policy": { "disabled": true, "max_request_bytes": 1 }, "captcha_challenge": { "cookie_expiry": 1, "custom_page": "example" }, "coalescing_options": { "default_coalescing": {}, "strict_coalescing": {} }, "compression_params": { "content_length": 1, "content_type": [ "example" ], "disable_on_etag_header": true, "remove_accept_encoding_header": true }, "connection_idle_timeout": 1, "cors_policy": { "allow_credentials": true, "allow_headers": "example", "allow_methods": "example", "allow_origin": [ "example" ], "allow_origin_regex": [ "example" ], "disabled": true, "expose_headers": "example", "maximum_age": 1 }, "csrf_policy": { "all_load_balancer_domains": {}, "custom_domain_list": { "domains": [ "example" ] }, "disabled": {} }, "custom_errors": {}, "default_header": {}, "default_loadbalancer": {}, "disable_default_error_pages": true, "disable_dns_resolve": true, "disable_path_normalize": {}, "domains": [ "example" ], "dynamic_reverse_proxy": { "connection_timeout": 1, "resolution_network": [ { "name": "example", "namespace": "example" } ], "resolution_network_type": "VIRTUAL_NETWORK_SITE_LOCAL", "resolve_endpoint_dynamically": true }, "enable_path_normalize": {}, "http_protocol_options": { "http_protocol_enable_v1_only": { "header_transformation": { "default_header_transformation": {}, "legacy_header_transformation": {}, "preserve_case_header_transformation": {}, "proper_case_header_transformation": {} } }, "http_protocol_enable_v1_v2": {}, "http_protocol_enable_v2_only": {} }, "idle_timeout": 1, "js_challenge": { "cookie_expiry": 1, "custom_page": "example", "js_script_delay": 1 }, "max_request_header_size": 1, "no_authentication": {}, "no_challenge": {}, "non_default_loadbalancer": {}, "pass_through": {}, "proxy": "UDP_PROXY", "rate_limiter_allowed_prefixes": [ { "name": "example", "namespace": "example" } ], "request_cookies_to_add": [ { "name": "example", "overwrite": true, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_cookies_to_remove": [ "example" ], "request_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "request_headers_to_remove": [ "example" ], "response_cookies_to_add": [ { "add_domain": "example", "add_expiry": "example", "add_httponly": {}, "add_partitioned": {}, "add_path": "example", "add_secure": {}, "ignore_domain": {}, "ignore_expiry": {}, "ignore_httponly": {}, "ignore_max_age": {}, "ignore_partitioned": {}, "ignore_path": {}, "ignore_samesite": {}, "ignore_secure": {}, "ignore_value": {}, "max_age_value": 1, "name": "example", "overwrite": true, "samesite_lax": {}, "samesite_none": {}, "samesite_strict": {}, "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_cookies_to_remove": [ "example" ], "response_headers_to_add": [ { "append": true, "name": "example", "secret_value": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "value": "example" } ], "response_headers_to_remove": [ "example" ], "retry_policy": { "back_off": { "base_interval": 1, "max_interval": 1 }, "num_retries": 1, "per_try_timeout": 1, "retriable_status_codes": [ 1 ], "retry_condition": [ "example" ] }, "routes": [ { "name": "example", "namespace": "example" } ], "sensitive_data_policy": [ { "name": "example", "namespace": "example" } ], "server_name": "example", "slow_ddos_mitigation": { "disable_request_timeout": {}, "request_headers_timeout": 1, "request_timeout": 1 }, "tls_cert_params": { "certificates": [ { "name": "example", "namespace": "example" } ], "cipher_suites": [ "example" ], "client_certificate_optional": {}, "client_certificate_required": {}, "maximum_protocol_version": "TLS_AUTO", "minimum_protocol_version": "TLS_AUTO", "no_client_certificate": {}, "validation_params": { "skip_hostname_verification": true, "trusted_ca": { "trusted_ca_list": [ { "name": "example", "namespace": "example" } ] }, "trusted_ca_url": "example", "verify_subject_alt_names": [ "example" ] }, "xfcc_header_elements": [ "XFCC_NONE" ] }, "tls_parameters": { "client_certificate_optional": {}, "client_certificate_required": {}, "common_params": { "cipher_suites": [ "example" ], "maximum_protocol_version": "TLS_AUTO", "minimum_protocol_version": "TLS_AUTO", "tls_certificates": [ { "certificate_url": "example", "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] }, "description": "example", "disable_ocsp_stapling": {}, "private_key": { "blindfold_secret_info": { "decryption_provider": "example", "location": "example", "store_provider": "example" }, "clear_secret_info": { "provider": "example", "url": "https://example.com" } }, "use_system_defaults": {} } ], "validation_params": { "skip_hostname_verification": true, "trusted_ca": { "trusted_ca_list": [ { "name": "example", "namespace": "example" } ] }, "trusted_ca_url": "example", "verify_subject_alt_names": [ "example" ] } }, "no_client_certificate": {}, "xfcc_header_elements": [ "XFCC_NONE" ] }, "user_identification": [ { "name": "example", "namespace": "example" } ], "waf_type": { "app_firewall": { "app_firewall": [ { "name": "example", "namespace": "example" } ] }, "disable_waf": {}, "inherit_waf": {} }, "max_requests_per_connection": 1, "no_request_limit_per_connection": {} } }'Creates virtual host in a given namespace.
Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Namespace This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
Request Bodyrequired
Section titled “Request Bodyrequired”This is the input message of the ‘Create’ RPC.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
object
X-example: true
Appends header x-F5 Distributed Cloud-location =
Advertise Policy allows you to define networks or sites where you want a VIP for this virtual host to be advertised. Each Policy rule can have different parameters, like TLS configuration, ports, optionally IP address to be used for VIP. If advertise policy is not specified then no VIP is assigned for this virtual host.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [default_header pass_through server_name] Specifies the value to be used for Server header if it is not already present. If Server Header is already present it is not overwritten. It is just passed.
object
Reference to Authentication Config Object
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Primary HMAC Key Expiry time
Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Secondary HMAC Key Expiry time
Required: YES.
Specifies in seconds max duration of the allocated cookie. This maps to “Max-Age” attribute in the session cookie. This will act as an expiry duration on the client side after which client will not be setting the cookie as part of the request. Default cookie expiry is 3600 seconds.
Specifies in seconds refresh interval for session cookie. This is used to keep the active user active and reduce RE-login. When an incoming cookie’s session expiry is still valid, and time to expire falls behind this interval, RE-issue a cookie with new expiry and with the same original session expiry. Default refresh interval is 3000 seconds.
object
Specifies in seconds max lifetime of an authenticated session after which the user will be forced to login again. Default session expiry is 86400 seconds(24 hours).
object
Exclusive with [redirect_dynamic]
user can provide a URL for e.g https://abc.xyz.com where user gets redirected. This URL configured here must match with the redirect URL configured with the OIDC provider.
object
object
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
Minimum response length, in bytes, which will trigger compression. The default value is 30.
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: “application/javascript” “application/JSON”, “application/xhtml+XML” “image/svg+XML” “text/CSS” “text/HTML” “text/plain” “text/XML”
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed.
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter.
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx response code class 5 — for 5xx response code class Value is the uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Access Denied” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Access Denied
”. Base64 encoded string for this HTML is “PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==” Specific response code takes preference when both response code and response code class matches for a request.The configured custom errors are only applicable for loadbalancer generated errors. Errors returned from upstream server is propagated as is.
F5XC provides default error pages for the errors generated by the loadbalancer. Content of these pages are not editable. User has an option to disable the use of default F5XC error pages.
object
object
object
An option to specify whether to disable using default F5XC error pages.
Disable DNS resolution for domains specified in the virtual host
When the virtual host is configured as Dynamive Resolve Proxy (DRP), disable DNS resolution for domains configured. This configuration is suitable for HTTP CONNECT proxy.
object
A list of Domains (host/authority header) that will be matched to this Virtual Host. Wildcard hosts are supported in the suffix or prefix form
Supported Domains and search order:
- Exact Domain names: www.example.com.
- Domains starting with a Wildcard: *.example.com.
Not supported Domains:
- Just a Wildcard: *
- A Wildcard and TLD with no root Domain: *.com.
- A Wildcard not matching a whole DNS label. E.g. *.example.com and *.bar.example.com are valid Wildcards however *bar.example.com, -bar.example.com, and bar.example.com are all invalid.
Additional notes: A Wildcard will not match empty string. E.g. *.example.com will match bar.example.com and baz-bar.example.com but not .example.com. The longest Wildcards match first. Only a single virtual host in the entire route configuration can match on *. Also a Domain must be unique across all virtual hosts within an advertise policy.
Domains are also used for SNI matching if the virtual host proxy type is TCP_PROXY_WITH_SNI/HTTPS_PROXY Domains also indicate the list of names for which DNS resolution will be automatically resolved to IP addresses by the system.
object
The timeout for new network connections to upstream server. This is specified in milliseconds. The default value is 2000 (2 seconds)
Reference to virtual network where the endpoint is resolved. Reference is valid only when the network type is VIRTUAL_NETWORK_PER_SITE or VIRTUAL_NETWORK_GLOBAL. It is ignored for all other network types.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
X-example : true In this mode of proxy, virtual host will resolve the destination endpoint dynamically.
The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host.
For HTTP traffic, i.e. With ProxyType as HTTP_PROXY or HTTPS_PROXY, virtual host will use the “HOST” HTTP header from the request and perform DNS resolution to select destination endpoint.
For TCP traffic with SNI, (If the ProxyType is TCP_PROXY_WITH_SNI), virtual host will perform DNS resolution using the SNI.
The DNS resolution is performed in the virtual network specified in outside_network_type or outside_network
In both modes of operation(either using Host header or SNI), the DNS resolution could return multiple addresses. First IPv4 address from such returned list is used as endpoint for the request. The DNS response is cached for 60s by default.
object
object
object
object
object
object
object
object
object
object
Idle timeout is the amount of time that the loadbalancer will allow a stream to exist with no upstream or downstream activity.
Idle timeout and Proxy Type:
HTTP_PROXY, HTTPS_PROXY: Idle timer is started when the first byte is received on the connection. Each time an encode/decode event for headers or data is processed for the stream, the timer will be reset. If the timeout fires, the stream is terminated with a 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise a stream reset occurs. The default idle timeout is 30 seconds
TCP PROXY, TCP_PROXY_WITH_SNI, SMA_PROXY: The idle timeout is defined as the period in which there are no bytes sent or received on either the upstream or downstream connection. The default idle timeout is 1 hour.
UDP PROXY: The idle timeout for sessions. Idle timeout is defined as the period in which there are no datagrams sent or received on the session. The default if not specified is 1 minute.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
The maximum request header size in KiB for incoming connections.
If un-configured, the default max request headers allowed is 60 KiB.
Requests that exceed this limit will receive a 431 response.
The max configurable limit is 96 KiB, based on current implementation constraints.
Note: a. This configuration parameter is applicable only for HTTP_PROXY and HTTPS_PROXY b. When multiple HTTP_PROXY virtual hosts share the same advertise policy, the effective “maximum request header size” for such virtual hosts is the highest value configured on any of the virtual hosts.
object
object
object
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and value for cookie header.
object
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the Cookie header.
List of keys of Cookies to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and its attribute values in set-cookie header.
object
Exclusive with [ignore_domain] Add domain attribute.
Exclusive with [ignore_expiry] Add expiry attribute.
object
object
Exclusive with [ignore_path] Add path attribute.
object
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [ignore_value secret_value] Value of the Cookie header.
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
object
object
Specifies the base interval between retries in milliseconds.
Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval.
Specifies the allowed number of retries. Defaults to 1. Retries can be done any number of times. An exponential back-off algorithm is used between each retry.
Specifies a non-zero timeout per retry attempt. In milliseconds.
HTTP status codes that should trigger a retry in addition to those specified by retry_on.
Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc
The possible values are
“5xx” : Retry will be done if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
“gateway-error” : Retry will be done only if the upstream server responds with 502, 503 or 504 responses (Included in 5xx)
“connect-failure” : Retry will be done if the request fails because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx)
“refused-stream” : Retry is done if the upstream server resets the stream with a REFUSED_STREAM error code (Included in 5xx)
“retriable-4xx” : Retry is done if the upstream server responds with a retriable 4xx response code. The only response code in this category is HTTP CONFLICT (409)
“retriable-status-codes” : Retry is done if the upstream server responds with any response code matching one defined in retriable_status_codes field
“reset” : Retry is done if the upstream server does not respond at all (disconnect/reset/read timeout.) Required: YES.
The list of routes that will be matched, in order, for incoming requests. The first route that matches will be used. Currently route object is redundant in case of TCP proxy but required. For TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts, the route object only specifies the cluster/weighted-cluster as route destination without any match condition. In other words, match condition in route object is ignored for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts. Routes used for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts cannot have DirectResponse or Redirect as actions.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
References to sensitive_data_policy objects.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [append_server_name default_header pass_through] Specifies the value to be used for Server header inserted in responses. This will overwrite existing values if any for Server Header.
object
object
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.
Exclusive with [disable_request_timeout]
object
Set of certificates
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384
If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used.
object
object
object
object
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname.
object
Reference to Root CA Certificate.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [trusted_ca] Inline Root CA Certificate.
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate.
X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added.
object
object
object
object
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384
If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used.
Set of TLS certificates.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname.
object
Reference to Root CA Certificate.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [trusted_ca] Inline Root CA Certificate.
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate.
object
X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added.
A reference to user_identification object. The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
References to an Application Firewall configuration object
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection.
object
Responses
Section titled “Responses”A successful response.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
object
X-example: true
Appends header x-F5 Distributed Cloud-location =
Advertise Policy allows you to define networks or sites where you want a VIP for this virtual host to be advertised. Each Policy rule can have different parameters, like TLS configuration, ports, optionally IP address to be used for VIP. If advertise policy is not specified then no VIP is assigned for this virtual host.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [default_header pass_through server_name] Specifies the value to be used for Server header if it is not already present. If Server Header is already present it is not overwritten. It is just passed.
object
Reference to Authentication Config Object
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Primary HMAC Key Expiry time
Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Secondary HMAC Key Expiry time
Required: YES.
Specifies in seconds max duration of the allocated cookie. This maps to “Max-Age” attribute in the session cookie. This will act as an expiry duration on the client side after which client will not be setting the cookie as part of the request. Default cookie expiry is 3600 seconds.
Specifies in seconds refresh interval for session cookie. This is used to keep the active user active and reduce RE-login. When an incoming cookie’s session expiry is still valid, and time to expire falls behind this interval, RE-issue a cookie with new expiry and with the same original session expiry. Default refresh interval is 3000 seconds.
object
Specifies in seconds max lifetime of an authenticated session after which the user will be forced to login again. Default session expiry is 86400 seconds(24 hours).
object
Exclusive with [redirect_dynamic]
user can provide a URL for e.g https://abc.xyz.com where user gets redirected. This URL configured here must match with the redirect URL configured with the OIDC provider.
object
Last encountered error message during certificate minting process.
object
Auto certificate expiry timestamp.
Issuer of the auto certificate.
Subject of the auto certificate.
DNS Records that are to be added by user in their DNS domain. Currently, this will be populated when auto certificates are desired but DNS delegation is not enabled.
Defines a DNS record.
object
Name of the DNS record.
Type of the DNS record.
DNS record Value.
object
object
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”object
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Internal reference to dns_zone object for internal cdnlb when caching is enabled for httplb.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
object
object
Minimum response length, in bytes, which will trigger compression. The default value is 30.
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: “application/javascript” “application/JSON”, “application/xhtml+XML” “image/svg+XML” “text/CSS” “text/HTML” “text/plain” “text/XML”
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed.
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter.
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. This is specified in milliseconds. The default value is 2 minutes.
object
Specifies whether the resource allows credentials.
Specifies the content for the access-control-allow-headers header.
Specifies the content for the access-control-allow-methods header.
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match.
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host.
Specifies the content for the access-control-expose-headers header.
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)
object
object
object
A list of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form. Required: YES.
object
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx response code class 5 — for 5xx response code class Value is the uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Access Denied” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Access Denied
”. Base64 encoded string for this HTML is “PHA+IEFjY2VzcyBEZW5pZWQgPC9wPg==” Specific response code takes preference when both response code and response code class matches for a request.The configured custom errors are only applicable for loadbalancer generated errors. Errors returned from upstream server is propagated as is.
F5XC provides default error pages for the errors generated by the loadbalancer. Content of these pages are not editable. User has an option to disable the use of default F5XC error pages.
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
An option to specify whether to disable using default F5XC error pages.
Disable DNS resolution for domains specified in the virtual host
When the virtual host is configured as Dynamive Resolve Proxy (DRP), disable DNS resolution for domains configured. This configuration is suitable for HTTP CONNECT proxy.
object
DNS information for this virtual host.
A message that contains DNS information for a given IP address.
object
IP address associated with virtual host.
A list of Domains (host/authority header) that will be matched to this Virtual Host. Wildcard hosts are supported in the suffix or prefix form
Supported Domains and search order:
- Exact Domain names: www.example.com.
- Domains starting with a Wildcard: *.example.com.
Not supported Domains:
- Just a Wildcard: *
- A Wildcard and TLD with no root Domain: *.com.
- A Wildcard not matching a whole DNS label. E.g. *.example.com and *.bar.example.com are valid Wildcards however *bar.example.com, -bar.example.com, and bar.example.com are all invalid.
Additional notes: A Wildcard will not match empty string. E.g. *.example.com will match bar.example.com and baz-bar.example.com but not .example.com. The longest Wildcards match first. Only a single virtual host in the entire route configuration can match on *. Also a Domain must be unique across all virtual hosts within an advertise policy.
Domains are also used for SNI matching if the virtual host proxy type is TCP_PROXY_WITH_SNI/HTTPS_PROXY Domains also indicate the list of names for which DNS resolution will be automatically resolved to IP addresses by the system.
object
The timeout for new network connections to upstream server. This is specified in milliseconds. The default value is 2000 (2 seconds)
Reference to virtual network where the endpoint is resolved. Reference is valid only when the network type is VIRTUAL_NETWORK_PER_SITE or VIRTUAL_NETWORK_GLOBAL. It is ignored for all other network types.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
X-example : true In this mode of proxy, virtual host will resolve the destination endpoint dynamically.
The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host.
For HTTP traffic, i.e. With ProxyType as HTTP_PROXY or HTTPS_PROXY, virtual host will use the “HOST” HTTP header from the request and perform DNS resolution to select destination endpoint.
For TCP traffic with SNI, (If the ProxyType is TCP_PROXY_WITH_SNI), virtual host will perform DNS resolution using the SNI.
The DNS resolution is performed in the virtual network specified in outside_network_type or outside_network
In both modes of operation(either using Host header or SNI), the DNS resolution could return multiple addresses. First IPv4 address from such returned list is used as endpoint for the request. The DNS response is cached for 60s by default.
object
Internally generated host name to be used for the virtual host.
object
object
object
object
object
object
object
object
object
Idle timeout is the amount of time that the loadbalancer will allow a stream to exist with no upstream or downstream activity.
Idle timeout and Proxy Type:
HTTP_PROXY, HTTPS_PROXY: Idle timer is started when the first byte is received on the connection. Each time an encode/decode event for headers or data is processed for the stream, the timer will be reset. If the timeout fires, the stream is terminated with a 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise a stream reset occurs. The default idle timeout is 30 seconds
TCP PROXY, TCP_PROXY_WITH_SNI, SMA_PROXY: The idle timeout is defined as the period in which there are no bytes sent or received on either the upstream or downstream connection. The default idle timeout is 1 hour.
UDP PROXY: The idle timeout for sessions. Idle timeout is defined as the period in which there are no datagrams sent or received on the session. The default if not specified is 1 minute.
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”Delay introduced by Javascript, in milliseconds.
object
object
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge.
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in Base64 format. You can specify this message as base64 encoded plain text message e.g. “Please Wait..” or it can be HTML paragraph or a body string encoded as base64 string E.g. ”
Please Wait
”. Base64 encoded string for this HTML is “PHA+IFBsZWFzZSBXYWl0IDwvcD4=”The maximum request header size in KiB for incoming connections.
If un-configured, the default max request headers allowed is 60 KiB.
Requests that exceed this limit will receive a 431 response.
The max configurable limit is 96 KiB, based on current implementation constraints.
Note: a. This configuration parameter is applicable only for HTTP_PROXY and HTTPS_PROXY b. When multiple HTTP_PROXY virtual hosts share the same advertise policy, the effective “maximum request header size” for such virtual hosts is the highest value configured on any of the virtual hosts.
object
object
object
object
object
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and value for cookie header.
object
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the Cookie header.
List of keys of Cookies to be removed from the HTTP request being sent towards upstream.
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP request being sent towards upstream.
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied.
Cookie name and its attribute values in set-cookie header.
object
Exclusive with [ignore_domain] Add domain attribute.
Exclusive with [ignore_expiry] Add expiry attribute.
object
object
Exclusive with [ignore_path] Add path attribute.
object
object
object
object
object
object
object
object
object
object
Exclusive with [ignore_max_age] Add max age attribute.
Name of the cookie in Cookie header. Required: YES.
Should the value be overwritten? If true, the value is overwritten to existing values. Default value is do not overwrite.
object
object
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [ignore_value secret_value] Value of the Cookie header.
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed.
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied.
HTTP header is a key-value pair. The name acts as key of HTTP header The value acts as the data/value of HTTP header Example HTTP header Host: user.F5 Distributed cloud.com In the above example, Host is the name or key of HTTP header In the above example, user.F5 Distributed cloud.com is the value of HTTP header.
object
Should the value be appended? If true, the value is appended to existing values. Default value is do not append.
Name of the HTTP header. Required: YES.
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
Exclusive with [secret_value] Value of the HTTP header.
List of keys of Headers to be removed from the HTTP response being sent towards downstream.
object
object
Specifies the base interval between retries in milliseconds.
Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval.
Specifies the allowed number of retries. Defaults to 1. Retries can be done any number of times. An exponential back-off algorithm is used between each retry.
Specifies a non-zero timeout per retry attempt. In milliseconds.
HTTP status codes that should trigger a retry in addition to those specified by retry_on.
Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc
The possible values are
“5xx” : Retry will be done if the upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
“gateway-error” : Retry will be done only if the upstream server responds with 502, 503 or 504 responses (Included in 5xx)
“connect-failure” : Retry will be done if the request fails because of a connection failure to the upstream server (connect timeout, etc.). (Included in 5xx)
“refused-stream” : Retry is done if the upstream server resets the stream with a REFUSED_STREAM error code (Included in 5xx)
“retriable-4xx” : Retry is done if the upstream server responds with a retriable 4xx response code. The only response code in this category is HTTP CONFLICT (409)
“retriable-status-codes” : Retry is done if the upstream server responds with any response code matching one defined in retriable_status_codes field
“reset” : Retry is done if the upstream server does not respond at all (disconnect/reset/read timeout.) Required: YES.
The list of routes that will be matched, in order, for incoming requests. The first route that matches will be used. Currently route object is redundant in case of TCP proxy but required. For TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts, the route object only specifies the cluster/weighted-cluster as route destination without any match condition. In other words, match condition in route object is ignored for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts. Routes used for TCP_PROXY/TCP_PROXY_WITH_SNI/SMA_PROXY VirtualHosts cannot have DirectResponse or Redirect as actions.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
References to sensitive_data_policy objects.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [append_server_name default_header pass_through] Specifies the value to be used for Server header inserted in responses. This will overwrite existing values if any for Server Header.
object
object
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The default value is 10000 milliseconds. This setting provides protection against Slowloris attacks.
Exclusive with [disable_request_timeout]
object
Set of certificates
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384
If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used.
object
object
object
object
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname.
object
Reference to Root CA Certificate.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [trusted_ca] Inline Root CA Certificate.
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate.
X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added.
object
object
object
object
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384
If not specified, the default list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 will be used.
Set of TLS certificates.
Handle to fetch certificate and key.
object
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers. Required: YES.
object
Ordered list of hash algorithms to be used.
Required: YES.
Description for the certificate.
object
object
object
Name of the Secret Management Access object that contains information about the backend Secret Management service.
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location Required: YES.
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
object
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///.
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded Base64 format. When asked for this secret, caller will GET Secret bytes after Base64 decoding. Required: YES.
object
object
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname.
object
Reference to Root CA Certificate.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
Exclusive with [trusted_ca] Inline Root CA Certificate.
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate.
object
X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added.
A reference to user_identification object. The rules in the user_identification object are evaluated to determine the user identifier to be rate limited.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
References to an Application Firewall configuration object
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
object
Exclusive with [no_request_limit_per_connection] Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection.
object
object
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
A value identifying the class of the user or service which created this configuration object.
A value identifying the exact user or service that created this configuration object.
DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
Populated by the system when a graceful deletion is requested. Read-only.
Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
object
Pending is a list of initializers that must execute in order before this object is initialized. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.
Initializer is information about an initializer that has not yet completed.
object
Name of the service that is responsible for initializing this object.
object
Suggested HTTP return code for this status, 0 if not set.
A human-readable description of why this operation is in the “Failure” status. If this value is empty there is no information available.
Status of the operation. One of: “Success” or “Failure”.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the operator or software. Values here can be interpreted by software(backend or frontend) to enable certain behavior e.g. Things marked as soft-deleted(restorable).
object
ModificationTimestamp is a timestamp representing the server time when this object was last modified.
Unique index for the object. Some objects need a unique integer index to be allocated for each object type. This field will be populated for all objects that need it and will be zero otherwise.
object
Kind of the view object.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
UID of the view object.
Tenant to which this configuration object belongs to. The value for this is found from presented credentials.
Uid is the unique in time and space value for this object. It is generated by the server on successful creation of an object and is not allowed to change on Replace API. The value of is taken from uid field of ObjectMetaType, if provided.
Example
{ "spec": { "auto_cert_info": { "auto_cert_state": "AutoCertDisabled" }, "dynamic_reverse_proxy": { "resolution_network_type": "VIRTUAL_NETWORK_SITE_LOCAL" }, "proxy": "UDP_PROXY", "state": "VIRTUAL_HOST_READY", "tls_cert_params": { "maximum_protocol_version": "TLS_AUTO", "minimum_protocol_version": "TLS_AUTO", "xfcc_header_elements": [ "XFCC_NONE" ] }, "tls_parameters": { "common_params": { "maximum_protocol_version": "TLS_AUTO", "minimum_protocol_version": "TLS_AUTO", "tls_certificates": [ { "custom_hash_algorithms": { "hash_algorithms": [ "INVALID_HASH_ALGORITHM" ] } } ] }, "xfcc_header_elements": [ "XFCC_NONE" ] }, "type": "VIRTUAL_SERVICE" }}Returned when operation is not authorized.
Examplegenerated
exampleReturned when there is no permission to access resource.
Examplegenerated
exampleReturned when resource is not found.
Examplegenerated
exampleReturned when operation on resource is conflicting with current value.
Examplegenerated
exampleReturned when operation has been rejected as it is happening too frequently.
Examplegenerated
exampleReturned when server encountered an error in processing API.
Examplegenerated
exampleReturned when service is unavailable temporarily.
Examplegenerated
exampleReturned when server timed out processing request.
Examplegenerated
example